45466 policies in database
Link to program      
2019-04-25
2019-08-22
Smartsheet logo
Thank
Gift
HOF
Reward

Reward

50 $ 

Smartsheet

Program Update

2022-06-09

We appreciate your patience while we aggressively work to clear out a backlog of bug bounty reports and begin paying bounties again as of mid-July starting with higher severity reports first.

2022-05-09

We have recently added four additional assets to this program! These new Smartsheet assets include our developer marketplace, mobile apps and help site.

2022-03-14

We have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!

2021-12-14

We have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.

Introduction

Smartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Response Targets

Smartsheet will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days

  • Time to triage (from report submit) - 2 business days

  • Time to first Smartsheet response (from triage) - 5 business days

We’ll try to keep you informed about our progress throughout the process.

Targets and Test Plan

Only test using @wearehackerone.com accounts, unless otherwise specified.

More detailed access instructions and documentation can be found in the Structured Scope section of this brief.

app.smartsheet.com
  • Use your @wearehackerone.com email to sign up for a developer account

  • Additional accounts can be created using yourusername+whatever@wearehackerone.com

api.smartsheet.com/2.0
admin.smartsheet.com
  • To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/
help.smartsheet.com and developers.smartsheet.com
  • No login required / supported
iOS Application and Android Application

Focus Areas

  • Account Takeover (do not test against customer accounts)

  • Privilege Escalation

  • Customer information disclosure and manipulation

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).

  • Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Restrictions

  • No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.

  • No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • No spamming. If you want to test a scenario that might result in spam, please contact us at mailto:bugbounty@smartsheet.com

  • Only test against Smartsheet accounts that belong to you.

  • Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)

  • Only test using an X-Bug-Bounty:<your_h1_username> http header so we can identify your requests easily.

Out of Scope / Not applicable

  • Executables as attachments.

  • Attacks requiring MITM or physical access to a user's device

  • Best practices in SSL/TLS configuration

  • Clickjacking on pages with no sensitive actions

  • Unauthenticated/logout/login CSRF

  • CSRF on public (published and embedded) sheets

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Previously known vulnerable libraries without a working Proof of Concept

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability

  • Spam and Email Abuse

  • Sub-domain Take-Over

Accepted Business Risks

  • Enumeration or disclosure of users and groups within own organization

Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.

  • We practice the mutual agreement disclosure process.

  • Follow HackerOne's disclosure guidelines.

Legal Stuff

As a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.

You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.

Do not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.

We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.

In Scope

Scope Type Scope Name
android_application

com.smartsheet.android

ios_application

com.smartsheet.smartsheet

web_application

app.smartsheet.com

web_application

api.smartsheet.com/2.0

web_application

admin.smartsheet.com

web_application

help.smartsheet.com

web_application

developers.smartsheet.com

Out of Scope

Scope Type Scope Name
web_application

www.smartsheet.com

web_application

community.smartsheet.com

web_application

channel.smartsheet.com

web_application

*.test.smartsheet.com


This program feature scope type like web_application, ios_application, android_application.

FireBounty © 2015-2024

Legal notices | Privacy policy