• No longer taking reports for websummit.com

No technology is perfect, and WebSummit believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Rules for participation

• Do not disclose issues publicly before they are resolved.
• Only original reports will be rewarded.
• We will reward security issues only; bugs without security implications should not be reported.
• Failure to follow these rules will disqualify you from participating in this program.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out-of-scope Vulnerabilities

Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens etc, we do still want to hear about them.
Reports that state that software is out of date/vulnerable without a proof of concept.
Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
XSS issues that affect only outdated browsers.
Highly speculative reports about theoretical damage. Be concrete.
Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
Denial of Service Attacks.
Reflected File Download (RFD).
window.opener-related issues.
Missing autocomplete attributes.
Missing cookie flags on non-security-sensitive cookies.
Issues that require physical access to a victim’s computer.
Banner grabbing issues (figuring out what web server we use, etc.).
Open ports without an accompanying proof-of-concept demonstrating vulnerability.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of WebSummit staff or contractors
• Any physical attempts against WebSummit property or data centers
• Scope is limited to just websummit.com. All other properties on the websummit.net domains are out of scope.
• As our content is embedded on other sites, we do not have an x-frame options header, which is fine for the moment, so don't report clickjacking issues.
• Don't test the messaging system(contact us). That is provided by a third party(intercom.io) and is completely self-contained.

Non-qualifying vulnerabilities

• User enumeration (we have deemed this acceptable risk)
• Reports from automated tools or scans
• Missing http security headers (unless you deliver a proof of concept that leverages their absence)
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
• Missing http security headers (unless you deliver a proof of concept that leverages their absence)
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
• DNS misconfiguration (Subdomain Takeover)
• DMARC/SPF issues

Thank you for helping keep WebSummit and our users safe!