FormAssembly Vulnerability Disclosure Program Policy

FormAssembly believes that cybersecurity is a team sport that is why collaborating with the community of skilled cybersecurity professionals is crucial for our company in providing a trusted and secure application.

Response Targets

FormAssembly will try its best to meet the following response targets in our program.

| Response Efficiency Metric | Target |

| --- | --- |

| Time to First Response | Within 1 day (Standard is within 3 days) |

| Time to Triage | Within 3 days (Standard is within 10 days) |

| Time to Remediation | Target |

| --- | --- |

| Critical | 15 days |

| High | 30 days |

| Medium | 60 days |

| Low | 90 days |

| Informational | 120 days |

Note: All days above are in business days.

Program Rules

FormAssembly appreciates the community at HackerOne but please follow the following:

• Please read and follow HackerOne’s Disclosure Guidelines

• When scanning our In-scope applications using automated tools, please include your HackerOne username as another header. (Example: HackerOne: <username>)

• When creating a test account, please use your @wearehackerone.com alias.

• When reporting a potential security vulnerability, please provide a step by step process for us to properly replicate your finding.

• Do not upload screenshots and/or videos in third-party platforms aside from HackerOne.

• Do not perform any destructive testing, please ask permission first by sending an email to security@formassembly.com in circumstances where the vulnerability may have an impact on our operation.

• FormAssembly holds a lot of data so we limit researchers to test their own accounts and do not target customer’s data.

• Submit one (1) security vulnerability per report unless you need to chain multiple security vulnerabilities to attain a high severity report.

• Please do not upload files in an archive/compress format; upload files individually.

Public Disclosure

At FormAssembly, one of our core values is Transparency. You may request to disclose your valid finding, but this decision will be made internally by the FormAssembly Security Team, and not all requests will be fulfilled. We will do our best to accommodate your request, but please keep in mind these decisions are based on what's best for our product, customers, and the organization.

Submitting Vulnerability Report

You may follow the structure below when reporting a potential security vulnerability in our program.

1. Overview of your finding

2. Affected URL

3. Affected parameter/field

4. Steps to reproduce the issue

5. Screenshots/Videos

In-Scope Vulnerabilities

FormAssembly is interested in receiving the following vulnerabilities:

• Cross-Site Scripting (XSS)

• Subdomain Takeover

• Web Cache Poisoning

• Server-Side Request Forgery

• Improper Access Control

• Privilege Escalation (Horizontal/Vertical)

• Path Traversal leading into Local File Inclusion

• Remote File Inclusion

• HTTP Request Smuggling

• Session Management Issues

• SQL Injection

• Remote Code Execution

• OS Command Injection

• Personal Information and Sensitive Personal Information

Out-of-Scope Vulnerabilities

The following vulnerabilities are outside the scope of our program.

• Any activity that could lead to the disruption of our service

• Comma Separated Values (CSV) Injection

• Any activity requiring Man-in-the-Middle (MITM) or physical access to a device

• Cross-Site Request Forgery on forms with no sensitive actions

• Clickjacking on forms, pages, or buttons with no sensitive actions

• Presence of autocomplete attribute

• Version disclosure of software, server, or other third parties without clear security impact to our applications

• Tabnabbing

• Missing DNS records (DMARC, DKIM, SPF)

• Social Engineering

• Spamming

• Any kind of phishing

• Missing best practices

• Missing security headers which does not lead to a vulnerability

• Host Header Injection unless you could steal data

• User enumeration - Please see https://security.stackexchange.com/a/200612/192205.

Safe Harbor

Any activities conducted in a manner consistent with our program rules, HackerOne’s policy, and disclosure guidelines will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep FormAssembly and our users safe!