A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:security@scale.com
Expires: 2025-06-07T15:45:00.000Z
Canonical: https://scale.com/.well-known/security.txt
Policy: https://scale.com/legal/security

Scale currently has a beta Bug Bounty program, the program is implemented via email at vulnerabilities@scale.com. Scale’s Bug Bounty program is intended to help us find high and critical vulnerabilities in our external infrastructure and core application. Included in the scope of Scale’s bug bounty is everything on the *.scale.com domain. That said, there are a number of attacks and vulnerability testing that is explicitly out of scope in our program. 

The following items should be considered out of scope:
Physical or social engineering attempts (this includes phishing attacks against Scale employees)
Ability to send push notifications/SMS messages/emails without the ability to change content
Ability to take over social media pages (Twitter, Facebook, Linkedin, etc)
Findings with negligible security impact
Unchained open redirects
Reports that state that software is out of date/vulnerable without a proof-of-concept
Highly speculative reports about theoretical damage
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
SSL/TLS scan reports (ie: output from sites such as SSL Labs)
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username
CSV injection
Best practices concerns
Protocol mismatch
Rate limiting
Exposed login panels
Dangling IPs
Vulnerabilities that cannot be used to exploit other users or Scale -- e.g. self-xss or having a user paste JavaScript into the browser console
Content injection issues
Missing cookie flags on non-authentication cookies
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores
Issues that require physical access to a victim’s computer/device
Stack traces
Path disclosure
Directory listings
Banner grabbing issues (figuring out what web server we use, etc.)
If a site is abiding by the privacy policy, there is no vulnerability.
Enumeration/account oracles
UUID enumeration of any kind
Invite/Promo code enumeration
Gift card enumeration
Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Scale account exists
Distributed denial of service attacks (DDOS)
 
High quality submissions allow our team to understand the issue better and engage the appropriate teams to fix. The best reports provide enough actionable information to verify and validate the issue without requiring any follow up questions for more information or clarification.
Check the scope before you begin writing your report to ensure the issue you are reporting is in scope for the program.
Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue (include screenshots if possible).
Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better. We cannot payout after the fact if we don’t have evidence and a mutual understanding of security impact.
In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.
Video only proof-of-concepts (PoCs) will not be considered.
A vulnerability must be verifiable and reproducible for us to be considered in-scope.
All reports must demonstrate security impact to be considered for bounty reward.
Include a CVSS hash supporting the severity of the vulnerability you are reporting.
More guidance on writing high quality reports can be found here: https://docs.hackerone.com/hackers/quality-reports.html

The following ratings are based on the CVSS v3 security scale, and are our general vulnerability payout scale:
Informational: No payout
Low - Medium: 0-$100 and Hall of Fame thanks
High - Critical: $100-$500 and Hall of Fame thanks

Previous bounty amounts are not considered a precedent for future bounty amounts. Bounty awards are not additive and are subject to change as our internal environment evolves. We determine the upper bound for security impact and award based on that impact. When determining bounty amounts, we consider the security impact of any given issue -- things that influence security impact are the scale of exposure and the various mitigating and multiplying factors. Bounty payouts and amounts, if any, will be determined by us in our sole discretion. In no event are we obligated to provide a payout for any submission. The format, currency and timing of all bounty payouts shall be determined by us in our sole discretion. You are solely responsible for any tax implications related to any bounty payouts you may receive. If we receive several reports for the same issue, only the earliest valid report that meets requirements and provides enough actionable information to identify the issue may be considered for a bounty.

Further, you understand that your participation in the program is at your own risk. To the fullest extent permitted by applicable law, except as otherwise provided herein, in no event shall Scale, its affiliates or their employees, contractors, agents, officers or directors be liable to you or the entity through which you are participating in Scale’s bug bounty program for any indirect, punitive, incidental, special, consequential or exemplary damages, including without limitation damages for business interruption, loss of profits, goodwill, use, data or other intangible losses arising out of or relating to this program. If you have any basis for recovering damages in connection with the program (including breach of these terms), you agree that your exclusive remedy is to recover, from Scale or any affiliates, resellers, distributors, and vendors direct damages up to but not in excess of $200.00 (USD). The exclusions and limitations in this section apply whether the alleged liability is based on contract, tort, negligence, strict liability or any other basis, even if the non-breaching party has been advised of the possibility of such damage.



Hall of Fame Reports:
February 11, 2025 - Sourish Das
November 7, 2024 - Mehrab Hossein Opi
October 4, 2024 - Javeed Shaik
September 30, 2024 - Mridul Vohra
June 17, 2024 - Sterling Wright
April 3, 2023 - Gia Bui & An Trinh with Calif Inc. (https://calif.io)