45466 policies in database
Link to program      
2017-05-03
2020-01-31
Dashlane logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Dashlane

Dashlane recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Coordinated Disclosure Guidelines

  • Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue.

  • Provide us a reasonable amount of time to respond and/or fix the issue.

  • Make a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.

  • Please refrain from automated/scripted account creation.

Scope

At this time, the scope of our bug bounty program includes ::

  • The autofill/autologin ability of our extensions :

Especially any vulnerability that could allow a remote attacker to force the extensions to send credentials to a rogue site.

  • Our website, www.dashlane.com, in particular:

    • our web application, https://www.dashlane.com/app/

    • our new features regarding Dashlane for Business (https://www.dashlane.com/business/try)

  • Our APIs endpoints:

    • logs.dashlane.com

    • ws1.dashlane.com

    • api.dashlane.com

  • The native client applications on Mac OS and Windows.

  • The native client application on IOS

  • The native client application on Android

  • Our standalone extensions (chrome, edge, FF), see the asset section.

  • The business features (SAML, Group sharing, Emergency, etc.).

  • Our new sso saml connector (https://support.dashlane.com/hc/en-us/sections/360004143940-Single-sign-on-SSO-)

Bounty Eligibility

Dashlane may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $200 USD, but reward amounts may vary depending upon the severity of the vulnerability reported. Dashlane reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

To qualify for a reward under this program, you should:

  • Be the first to report a specific vulnerability.

  • Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.

  • Disclose the vulnerability report directly and exclusively to us. Public disclosure or disclosure to other third parties -- including vulnerability brokers -- before we addressed your report will forfeit the reward.

  • Don't use youtube or any public service even unlisted to post videos

  • Create one report by vulnerability

Exclusion

  • Rate limit remarks

  • Content injection

  • All the hosts not listed bellow (please don't send reports for unlisted hosts)

  • Missing security headers which do not lead directly to a vulnerability

  • Self inflicted XSS

  • Missing best practices (we require evidence of a security vulnerability)

  • Missing cookie flags on non-sensitive cookies

  • Any report that discusses how you can learn whether a email address has a Dashlane account.

  • Disclosure of tools, libraries used by Dashlane and/or their versions

  • The "limited access" feature for the shared credentials can be circumvented (https://support.dashlane.com/hc/en-us/articles/202870872-Can-other-people-see-the-password-I-shared-with-them-)

  • Bugs that involve physical attacks or social engineering against Dashlane offices or employees, spamming, malware distribution, or denial of service attacks.

  • The referral program allows to obtain 6 month free membership (cumulative until 2 years) for each invite (on purpose)

  • Attacks on desktop apps that require prior control of the host system (keylogger, memory dumping).

  • For subdomain takeovers related issues, please check your claim before reporting to avoid false positives.

  • SPF/DMARC remarks

  • Dead Linkedin links in our Team page (https://www.dashlane.com/team), we do our best to keep it up to date and we don't think that H1 researchers squatting team profile is a useful for anyone.

  • Expired certificates

  • reports about embedded api keys with limited scopes (Braze, etc.).

  • Command injection in excel through CSV

  • Reports about the presence of api keys (if you can use them to abuse our services you can fill a report though).

  • the domain blog.dashlane.com is out of scope

  • Leak of Subcodes to tracking 3rd parties

Any reports that cover issues that are not in the scope of this program will be closed as N/A

If you discover an out-of-scope bug in Dashlane while looking for security issues, you can report it to us by emailing our support team at support@dashlane.com or security@dashlane.com

Thank you for helping keep Dashlane safe!

In Scope

Scope Type Scope Name
android_application

com.dashlane

application

https://www.dashlane.com/fr/directdownload-v2?os=none&platform=website&target=archive_win

application

https://www.dashlane.com/fr/directdownload-v2?os=OS_X_10_12_6&platform=website&target=launcher_macosx

ios_application

com.dashlane.dashlanephonefinal

mobile_applications

gehmmocbbkpblljhkekmfhjpfbkclbph

other

Standalone Chrome extension

undefined

SSO_Saml_connector

web_application

ws1.dashlane.com

web_application

console.dashlane.com

web_application

www.dashlane.com

web_application

logs.dashlane.com

web_application

app.dashlane.com

web_application

api.dashlane.com


This program feature scope type like application, ios_application, undefined, web_application, android_application, mobile_applications.

FireBounty © 2015-2024

Legal notices | Privacy policy