Company

BookBeat is a subscription service for audiobooks and eBooks.

Program Rules

• We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
• If you believe you have found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
• Any type of denial-of-service (DoS) attack is strictly forbidden, as well as any interference with network equipment or BookBeat infrastructure.
• Do not persist copyrighted content such as audio and eBook files.
• Only applicative flaws will be rewarded.
• Testing with real customer accounts that do not belong to you is prohibited.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submit valid reports which help us improve the security of BookBeat. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability (see below).
• Any vulnerability found must be reported no later than 24 hours after discovery, exclusively through yeswehack.com.
• You must send a clear textual description of the report along with steps to reproduce the issue (include attachments such as screenshots or proof of concept code as necessary).
• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and put limits on your requests per second).
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of BookBeat or one of its contractors.
• Reports about vulnerabilities are examined by our security analysts.
• Our analysis is always based on worst-case exploitation of the vulnerability, as is the reward we pay.
• No vulnerability disclosure, including partial is allowed for the moment.

SYSTEM UPDATES

• 2024-01-27. We recently made a significant update to how our site handles markets. The new feature is automatic recognition of geolocation but there are more underlying changes. Hopefully this all works as intended with no unintentional leaks of content between markets or url-manipulation vulnerabilities.