Mavenlink makes the security of our product a top priority and we value the role the security community plays in this process. If you believe that you've found a potential security issue in any of our products, please let us know right away. We're committed to working closely with anyone with a desire to help keep users safe. We investigate all reports.

Responsible Disclosure Policy

If you give us a reasonable amount of time to respond, verify, and fix your report before making any information public, and you make a good faith effort to avoid privacy violations, destruction of data, or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

Security Research Guidance

• Please conduct your research in a manner that does not negatively impact other users of our service, either by degrading their experience, or by violating their privacy.
• Make a good faith effort to avoid accessing accounts or data that does not belong to you.
• Do not interact with other users without their permission.
• Refrain from using or reporting Denial of Service or Social Engineering attacks.
• Please do not use automated scanners or fuzzers, as they may affect our quality of service. All security testing must be manual.
• Please do not just copy and paste reports from other closed HackerOne tickets. Make sure you do your own work, and that you verify that a bug is actually valid.

Scope of Responsible Research

Please do not submit the "Request a Demo", "Request Access", or "Live Chat" forms, as they require time from our support and sales teams. Testing of these features is outside the scope of our Responsible Disclosure Policy.

The following domains are in scope for this Responsible Disclosure Policy:

• Our marketing website (https://www.mavenlink.com __)
• Our main application (https://app.mavenlink.com __)
• Our HTML5 mobile app (https://m.mavenlink.com __)
• Our API (https://api.mavenlink.com __)

Vulnerabilities in scope include:

• XSS vulnerabilities
• Missing CSRF tokens
• Remote code execution
• Unauthorized data access
• Any other attack that can likely result in unauthorized access to our systems' or users’ data

Please note that the following techniques and issues are not currently in scope:

• Bugs that affect only legacy browsers
• Attacks that require the use of the "Email messages and files to your project" feature
• Potential attacks that would require direct access to a user's computer
• Attacks that would require exceedingly unlikely user interaction
• Denial of service attacks
• Social engineering attacks
• Minor information leakage (such as web server version)
• Insecure cookies (all necessary cookies are marked as secure)
• Clickjacking on the login page
• Ratelimiting

The following domains are not currently in scope:

• start.mavenlink.com
• learn.mavenlink.com
• go.mavenlink.com
• blog.mavenlink.com
• mavengineering.com

We are mainly interested in specific security bugs. While you are welcome to submit "best practices", chances are that we are already aware of and have considered them.

Getting a test account

In order to test our full feature set, we recommend signing up for a free trial Premier account __.

Thanks!

We believe in giving credit where credit is due. If our customers end up more secure as a result of your work, we'll credit your discovery in our Security Hall of Fame. We may also offer small bounties at our discretion.

Duplicate reports

If more than one person submits the same issue the recognition will go to the first reporter. Please see the HackerOne guidelines for more info.

About Mavenlink

Mavenlink delivers enterprise-grade Software as a Service (SaaS) that transforms how businesses work with distributed teams, contractors and clients around the globe. Mavenlink's innovative technology suite enables organizations of any size to successfully manage and scale their people, projects, revenue and profitability. Consulting firms, creative agencies and professional services teams in more than 100 countries are running their businesses more efficiently and more elegantly with Mavenlink. Learn more at www.mavenlink.com __.