Dashlane
Dashlane recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue.
Provide us a reasonable amount of time to respond and/or fix the issue.
Make a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
Please refrain from automated/scripted account creation.
At this time, the scope of our bug bounty program includes ::
Especially any vulnerability that could allow a remote attacker to force the extensions to send credentials to a rogue site.
Our website, www.dashlane.com, in particular:
our web application, https://www.dashlane.com/app/
our new features regarding Dashlane for Business (https://www.dashlane.com/business/try)
Our APIs endpoints:
logs.dashlane.com
ws1.dashlane.com
api.dashlane.com
The native client applications on Mac OS and Windows.
The native client application on IOS
The native client application on Android
Our standalone extensions (chrome, edge, FF), see the asset section.
The business features (SAML, Group sharing, Emergency, etc.).
Our new sso saml connector (https://support.dashlane.com/hc/en-us/sections/360004143940-Single-sign-on-SSO-)
Dashlane may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $200 USD, but reward amounts may vary depending upon the severity of the vulnerability reported. Dashlane reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.
To qualify for a reward under this program, you should:
Be the first to report a specific vulnerability.
Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
Disclose the vulnerability report directly and exclusively to us. Public disclosure or disclosure to other third parties -- including vulnerability brokers -- before we addressed your report will forfeit the reward.
Don't use youtube or any public service even unlisted to post videos
Create one report by vulnerability
Rate limit remarks
Content injection
All the hosts not listed bellow (please don't send reports for unlisted hosts)
Missing security headers which do not lead directly to a vulnerability
Self inflicted XSS
Missing best practices (we require evidence of a security vulnerability)
Missing cookie flags on non-sensitive cookies
Any report that discusses how you can learn whether a email address has a Dashlane account.
Disclosure of tools, libraries used by Dashlane and/or their versions
The "limited access" feature for the shared credentials can be circumvented (https://support.dashlane.com/hc/en-us/articles/202870872-Can-other-people-see-the-password-I-shared-with-them-)
Bugs that involve physical attacks or social engineering against Dashlane offices or employees, spamming, malware distribution, or denial of service attacks.
The referral program allows to obtain 6 month free membership (cumulative until 2 years) for each invite (on purpose)
Attacks on desktop apps that require prior control of the host system (keylogger, memory dumping).
For subdomain takeovers related issues, please check your claim before reporting to avoid false positives.
SPF/DMARC remarks
Dead Linkedin links in our Team page (https://www.dashlane.com/team), we do our best to keep it up to date and we don't think that H1 researchers squatting team profile is a useful for anyone.
Expired certificates
reports about embedded api keys with limited scopes (Braze, etc.).
Command injection in excel through CSV
Reports about the presence of api keys (if you can use them to abuse our services you can fill a report though).
the domain blog.dashlane.com is out of scope
Leak of Subcodes to tracking 3rd parties
Any reports that cover issues that are not in the scope of this program will be closed as N/A
If you discover an out-of-scope bug in Dashlane while looking for security issues, you can report it to us by emailing our support team at support@dashlane.com or security@dashlane.com
Thank you for helping keep Dashlane safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.dashlane |
| application | https://www.dashlane.com/fr/directdownload-v2?os=none&platform=website&target=archive_win |
| application | https://www.dashlane.com/fr/directdownload-v2?os=OS_X_10_12_6&platform=website&target=launcher_macosx |
| ios_application | com.dashlane.dashlanephonefinal |
| mobile_applications | gehmmocbbkpblljhkekmfhjpfbkclbph |
| other | Standalone Chrome extension |
| undefined | SSO_Saml_connector |
| web_application | ws1.dashlane.com |
| web_application | console.dashlane.com |
| web_application | www.dashlane.com |
| web_application | logs.dashlane.com |
| web_application | app.dashlane.com |
| web_application | api.dashlane.com |
This program feature scope type like mobile_applications, web_application, ios_application, application, undefined, android_application.
FireBounty © 2015-2024
