Introduction

Faraday, Inc. looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Please see the "Out of scope" section - there are important exclusions.

Response targets

Faraday, Inc. will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response: 2 business days

• Time to triage: 2 business days

• Time to bounty: 1 business day

We'll try to keep you informed about our progress throughout the process.

Disclosure policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's ​https://www.hackerone.com/disclosure-guidelines

Program rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Test plan

https://app.faraday.ai/signup

This will mostly give you access to the API (https://api.faraday.ai), but it will also give you a window into our web app (https://app.faraday.ai).

API docs are at https://developer.faraday.ai/

Our test priorities are:

• Nobody can break in

• No cross-account leakage

• We aren't leaving sensitive data publically accessible

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Faraday, Inc..

In scope

• https://api.faraday.ai

• https://app.faraday.ai

• https://app.faraday.ai/signup

• https://try.faraday.ai

• https://developer.faraday.ai

• Our S3 buckets, etc.

• Malicious action by authenticated users

• CSRF/XSS

• Content spoofing and text injection issues with showing an attack vector/with being able to modify HTML/CSS

• Open redirect if an additional security impact can be demonstrated

• Clickjacking on pages with sensitive actions

• Previously known vulnerable libraries with a working Proof of Concept.

• Comma Separated Values (CSV) injection with demonstrating a vulnerability

Out of scope

These are OUT OF SCOPE:

• Denial of Service (DOS)

• Don't schedule a demo on https://faraday.ai. It is extremely distracting to our sales team.

• Non-secret tokens on https://app.faraday.ai/api/environment.js. Do not report this.

• https://faraday.atlassian.net/servicedesk/customer/user/signup - this is not associated with Faraday

• Our public website https://faraday.ai

• Rate limiting or bruteforce issues on non-authenticated endpoints

• Rollbar (ff5ae6124c8b4a77ae60503f62f8f213) and Intercom (1pdrkobe) tokens found in our JS.

• Attacks requiring MITM or physical access to a user's device.

• Missing best practices in SSL/TLS configuration.

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Tabnabbing

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep Faraday, Inc. and our users safe!

Copyright

Copyright 2022 Faraday, Inc.