At Harvest security is very important, our customers trust us with their data and we take this trust extremely seriously. With this security bounty system, we aim to reward the work of security researchers who find issues with Harvest’s suite of applications. Our team is committed to addressing all security issues in a responsible and timely manner.

Rules for reporting

===============

If you find a security issue let us know and we will make every effort to resolve the issue as soon as possible. Please do not publicly disclose any details until Harvest has confirmed the bug has been fixed. If you provide us a reasonable amount of time to resolve it, we promise to get back to you quickly at each step of the resolution process.

All bug reports should include

========================

• A detailed step-by-step explanation of how to replicate the issue.

• Attack Scenario to demonstrate the risk.

Rules for testing security issues on Harvest

===================================

• Use test accounts. Please add +hackerone to your email address before the @, e.g. researcher+hackerone@example.com

• Avoid security scanners or tools which may cause DoS, DDoS or scraping-like behaviour.

• Do not use automatic tools against contact or support forms

• Do not comment on the blog while testing

• NEVER try to gain access to real user's account or data.

• You must not leak, manipulate, or destroy any user data.

• Do not impact users with your testing

• Do not perform denial of service attacks, mail bombing, spam, scraping, brute force, or automated attacks with programs like Burp Intruder.

• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

• Any vulnerability found must be reported no later than 48 hours after discovery.

If you have any doubt please write to us: security@getharvest.com

What we are looking for

===================

In general any vulnerability which could negatively affect the security of our users like:

• Cross-site Scripting (XSS)

• Cross-site Request Forgery

• Server-Side Request Forgery (SSRF)

• SQL Injection

• Server-side Remote Code Execution (RCE)

• XML External Entity Attacks (XXE)

• Access Control Issues (Insecure Direct Object Reference issues, etc)

• Exposed Administrative Panels that don't require login credentials

• Directory Traversal Issues

• Local File Disclosure (LFD)

• Anything not listed but important.

Concatenating bugs to increase the attack scenario is encouraged. We do not allow by any means escalations such as port scanning internal networks or privilege escalation attempts. Never download or access private data.

What we are NOT looking for

========================

• Hyperlink injection on emails

• Best practices concerns (we require evidence of a security vulnerability)

• Sessions not being invalidated when a best practice says so

• Wordpress XMLRPC brute force attacks

• CSV/Excel command injection issues

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

• Race conditions that don't compromise the security of Harvest or our customers

• Reports about theoretical damage without a real risk

• The output of automated scanners without explanation

• window.opener Related Issues

• CSRF with no security implications (like Login/logout/unauthenticated CSRF)

• Missing cookie flags on non-security sensitive cookies

• Attacks requiring physical access to a user's device

• Missing security headers not related to a security vulnerability

• Reports of insecure SSL/TLS ciphers unless you have a working proof of concept

• Banner grabbing issues to figure out the stack we use or software version disclosure

• Open ports without a vulnerability

• Password and account recovery policies, such as reset link expiration or password complexity

• Invalid or missing SPF (Sender Policy Framework) records

• Disclosure of known public files or directories, (e.g. robots.txt)

• Reports of spam

• User enumeration

• DNS misconfiguration

• Presence of autocomplete attribute on web forms

• DNSSEC settings

• HSTS or CSP headers

• Host header injection unless you can show how a third-party can exploit it.

• Vulnerabilities that require a rooted, jailbroken or software emulated device

If you really feel that something listed above will have a great impact on our security, and you have a working proof of concept, please feel free to report it explaining the attack scenario that we are missing, otherwise it will be classified as Not Applicable.

What is explicitly out of scope

========================

Any submitted reports related to these applications will be closed as N/A:

• harveststatus.com

• help.getharvest.com

• getharvest.com/contact

• support.forecastapp.com

To qualify for a bounty

===================

• You must be the first reporter

• It must not be a duplicate or known issue

• Your report must be within scope

• You should not disclose the issue before its resolution

• You should not access another user’s data without permission

• The report should describe an attack scenario and a real risk for the user.

If you have any doubt please write us: security@getharvest.com

What is ineligible for a bounty, but appreciated

======================================

• Recently disclosed 0 day vulnerabilities

• Use of a known-vulnerable library

• Reflected XSS

• Open redirects

• Self-XSS (making users attack themselves generally is not a security issue)

• Significant Content Spoofing - Text Injection attacks

• Any low severity issue (not listed on "What we are not looking for" section)

Thank you for helping keep Harvest and our users safe.

Happy bug hunting!