Introduction

Planet was founded with the mission to image the Earth every day and make change visible, accessible, and actionable. Over the past decade with our customers, Planet has revolutionized the Earth observation industry, democratizing access to satellite data beyond the traditional agriculture and defense sectors.

To that end, Planet provides the leading web-geo platform with the highest frequency satellite data available and foundational analytics to derive insights, empowering users across the world to make impactful, timely decisions.

Planet employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems, and the data within them. This vulnerability disclosure program will give everyone the opportunity to help us accomplish our mission by making us the most secure and trusted web-geo platform.

We encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below.

Response Targets

Planet Labs will make a best effort to reply in a timely manner.

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing), physical penetration testing, and denial of service or volumetric attacks are prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• Information tending to identify Planet’s customers or our customer’s usage of our system is particularly sensitive. Do not intentionally access Planet customer information. If you suspect a service provides access to Planet customer information, limit queries to your own personal information.

• Report the vulnerability immediately and do not attempt to access any other data.

• Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned.

• You must delete all your local, stored, or cached copies of data containing Planet customer information as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.

• In connection with your participation in this program you agree to comply with Planet’s Terms of Use, Planet’s Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.

• You may not participate in this program if

• you are a resident or individual located within a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control; or

• you are included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of Commerce; or

• you are affiliated in any way with a foreign terrorist organization as designated by the U.S. Department of State.

• Planet reserves the right to change or modify the terms of this program at any time.

Test Plan

Web traffic to and from Planet properties produce terabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Planets bug bounty programs:

Where possible, register accounts using your <username>@wearehackerone.com addresses. If you are in need to register multiple accounts, use <username>+<foobar>@wearehackerone.com.

Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

You are a returning hacker revisiting our program and want to quickly see what changed since you looked at it the last time or you want to start hacking on new or updated features? Take a look at our Developers Changelog.

General documentation of our services is available at our Support page. Developers documentation is available at our Developers page

In Scope

Only the Planet-owned domains listed below are eligible for reward.

• *.planet.com

• *.planet-labs.com

Out of Scope

Third party services hosted on subdomains of planet.com, for example:

• https://support.planet.com

• https://learn.planet.com

• https://developers.planet.com/devtrial/#devtrial-signup-form

  • form submission goes to learn.planet.com

• https://developers.planet.com/contact-us/

  • form submission goes to a third party service

The most important information entrusted to Planet’s care concerns Planet’s customers and their use of Planet’s services. Informed by the CVSS scoring system, vulnerability disclosures concerning Planet customer information may reward higher amounts for exceptional reports.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Rate limiting or bruteforce issues on non-authentication endpoints

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure or Banner identification issues.

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

• Issues arising from static Planet API keys, including their use as query parameters

• Insufficient session expiration

• Password brute force or reset user enumeration

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Planet cannot and does not authorize security research in the name of other entities. You are expected, as always, to comply with all applicable laws and regulations.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this Policy.

Thank you for helping keep Planet and our users safe!