While no technology is perfect, PullString believes that working with skilled
security researchers across the globe is crucial to identifying and addressing
weaknesses. PullString practices a Responsible Disclosure policy. If you
believe you have found a security issue in our products or service, we
encourage you to notify us. We will work closely with you to resolve the issue
Responsible Disclosure Policy
- Let us know as soon as possible upon discovery of a potential security issue.
- Please include as many technical details as possible so that our security team can reproduce and confirm the issue in question.
- Once a security issue has been confirmed, our goal is to issue an update for the affected product(s) within 60 days. However, please provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Posting details or conversations about a report before it has been approved for disclosure, especially for high-severity bugs, will result in immediate disqualification from the program.
To show our appreciation of responsible security researchers, PullString
offers a monetary bounty for reports of qualifying security vulnerabilities.
Reward amounts will vary based upon the severity of the reported
vulnerability. Eligibility and award size is at our sole discretion.
- Open to anyone in the security community
- Employees and contractors of PullString are ineligible to claim bounties but may submit bug reports
Qualifying bugs will be rewarded based on severity. Our minimum reward is $100
USD, and our maximum reward is $5,000 USD. Rewards are only granted for new
and previously unidentified vulnerabilities and are granted entirely at the
discretion of PullString.
Any PullString service or product that handles sensitive user data is intended
to be in scope. The primary such product is the PullString Converse web app at
https://app.pullstring.com/ __. The Converse app does not offer a free trial
so security researchers must first contact us
email@example.com and provide an email address to receive an account
We cannot grant authorization to test services managed by third-party
providers, so any third-party services that PullString uses are specifically
excluded from the scope of this program, such as
https://status.pullstring.com/ __or https://help.pullstring.com/
__. This also
includes our marketing site, https://www.pullstring.com/
__, which is
hosted on a third-party service where we have very limited control over the
Any design or implementation issue that substantially affects the
confidentiality or integrity of user data is likely to be in scope for the
program. Common examples include:
- Cross-site scripting
- SQL injection
- Authentication or authorization flaws
- Server-side code execution bugs
- Privilege escalation
The following conditions are out of scope for purposes of the bug bounty
program and are not eligible for a bounty payment:
- User enumeration or brute forcing account passwords
- Cross-site Request Forgery
- Reports mentioning SSL/TLS or HTTPS best practices
- Reports mentioning weaknesses in SSL/TLS ciphersuites
- Reports mentioning SPF, DKIM, or DMARC policies
- Missing cookie flags on non-sensitive cookies
- Missing HTTP security headers
- Distributed Denial of Service (DDoS) or other high-volume network attacks
- Manipulating or replacing components of any hardware based products
- Any vulnerability obtained through the compromise of a PullString employee or contractor account. This type of activity will result in immediate and permanent disqualification from the program.
- Any vulnerability found through automated tools, port scans, or other means of large automated exploitation.
- Social engineering (including phishing) of PullString staff or contractors
- Any physical attacks against PullString property or data centers
- Any infringement of a third party’s intellectual property
- Services that are not managed by PullString
- Mattel websites and services
- Do not break the law
- We cannot reward individuals on sanction lists or who are residing in countries on sanction lists
- Avoid privacy violations, downloading personally identifiable information, destruction of data, and interruption or degradation of our service
- Only interact with accounts and hardware products you own or with explicit permission of the account holder
Thank you for helping keep PullString and our users safe!