Directly invites you to test their primary webapp and any other discoverable
subdomains or attack surface that's part of *.sandbox.directly.com. Upon
receipt of your report, we promise to review and address any security issues
in a timely manner and to communicate with you during our investigation and
Please note that Directly is only looking for sandbox environment issues (nothing in production). If you go into production sites, your IP may get banned.
Thanks again for making Directly a safer place for our customers and experts by disclosing security issues responsibly! Good luck and happy hunting!
For initial ratings, this program will use theBugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Last updated 21 Aug 2018 21:11:34 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $2,500
p2 Severe | $1,000 - $1,500
p3 Moderate | $500 - $750
p4 Low | $250 - $300
P5 submissions do not receive any rewards for this program.
Target name | Type
<https://sandbox.directly.com/dashboard/index> | Website
<http://directly.github.io/demosite/qa/rtm/sandbox.html> | Website
*.sandbox.directly.com/ | Website
app.sandbox.directly.com | Website
Target name | Type
www.directly.com | Website
*.sandbox.directly.com/schedule-a-demo/* OR /product/* OR /careers/* OR
/about/* OR /legal/* OR /trust/* | Website
resources.directly.com/* | Website
Any domain/property of Directly not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
This is the primary point of focus for testing - which mirrors the production version of our app, but also provides a safer place to test in. Given that this is available for testing - please DO NOT perform any testing against the production version of the app.
Fundamentally, Directly is an app that crowd-sources customer service - wherein customers crowd-source questions to power users by offering bounties on answering questions. Researchers are encouraged to self-provision as they're able, and to and test whatever functionality one can access (excepting functionalities specifically listed as out-of-scope).
As the scope infers, you're free to test any subdomain of .sandbox.directly.com that you're able to find - provided it isn't listed as out of scope. Please be aware that it is especially important that researchers do not submit requests to salesforce via .sandbox.directly.com/schedule-a-demo/
To register on our test environment, please visit https://area-51.sandbox.directly.com/apply and click apply now. Feel free to fill out the registration information and application however you'd like. You'll need to fill out all mandatory fields, including a profile picture. Once you've created an account, then you can go to https://app.sandbox.directly.com/login/auth to authenticate with your new set of credentials.
To access the main function of the site, which is asking questions of experts, you can visit this page: https://directly.github.io/demosite/qa/rtm/sandbox.html. Asking questions here populates the area-51 with your questions for further testing. Note! It is imperative that you visit the ask a question page in a separate browser so the question is not asked by your current account. This way, you'll be able to communicate to an unauthenticated user.
Security of user data and communication is of the utmost importance to Directly. In pursuit of the best possible security, we welcome responsible disclosure of any vulnerability you find. Principles of responsible disclosure include:
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via email@example.com before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.