Casper is committed to treating our customers’ data with the utmost care. We also look forward to working collaboratively with the security community on HackerOne.

Program Rules

• Automated testing is not permitted.

• Please Follow HackerOne’s Disclosure Guidelines.

• Test only with your own orders, users, or items (any resource you were able to create) when investigating bugs, and do not interact with other orders or resources without the consent of the Casper team.

• We award bounties at time of triage, and will keep you posted as we work to resolve the issues reported.

• You must be the first person to report the issue to us. We will review duplicate bugs to see if they provide additional information, but otherwise issues reported only reward the first reporter.

• Please NO publicly hosted videos(i.e. youtube, vimeo, etc...) or screenshots included in reports.

• Under no circumstances engage in denial of service.

Testing notes

• Cookie Scope: the only sensitive cookies in the Casper product reside on .casper.com and not on other casper-domains.

Secondary Scope

Secondary targets are adjacent systems that have a lower impact on Casper systems and so will be paid at a lower rate than primary targets. In addition, valid vulnerabilities for these submissions will only be considered for risks of severity “High” or greater.

Secondary Scope Rewards

We encourage researchers to focus on in scope targets as this will result in the highest payouts and quickest response time. If your submission impacts an application in the "Secondary Scope" section, is a severity of High or Critical, and meets other applicable requirements (i.e., not an Excluded Submission Type); we will provide a reward in the range of “Very Low” to “Medium” range of bounty.

Excluded Submissions

The following bugs are unlikely to be eligible for a bounty:

• Man in the Middle based attacks

• "Scanner output" or scanner-generated reports

• Parameter Pollution without side effects

• Issues found through automated testing

• Publicly-released bugs in internet software within 15 days of their disclosure

• "Advisory" or "Informational" reports that do not include any casper-specific testing or context

• Denial of Service attacks and rate limit abuse

• Spam or Social Engineering techniques, including SPF and DKIM issues

• Content Spoofing

• Full-Path Disclosure on any property

• Version number information disclosure

• CSRF-able actions that do not require authentication (or a session) to exploit

• 3rd-party subdomains of casper.com that are not explicitly named in the scope.

• Reports related to the following security-related headers:

• Strict Transport Security (HSTS)

• XSS mitigation headers (X-Content-Type and X-XSS-Protection)

• X-Content-Type-Options

• Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)