Responsible Disclosure

Out of Scope Targets

• All the sandbox and staging environments are out of scope.
• All external services/software which are not managed or controlled by Temperstack are considered out of scope.
• We do not accept reports for vulnerabilities solely affecting our marketing website (www.temperstack.com), which contains no sensitive data.

Eligibility

Prerequisites to qualify for reward:

• Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward.
• Your report must be in scope.
• You must demonstrate a vulnerability with proof/evidence.

At Temperstack, we value the security of our systems and applications and appreciate any reports of vulnerabilities. However, it is important to note that we have the sole authority to assess and decide on the validity and impact of any reported vulnerabilities. While we welcome all reports, deciding whether to take action or dismiss a report is final.

Rewards

For reporters who report a valid security issue, we send Temperstack Swag as a thank you!

Qualifying vulnerabilities (in-scope)

• Remote Code Execution, Code Injection, OS Command Injection
• SQL Injection (Inband SQLi; Blind SQLi)
• SSRF (unrestricted); Content-Restricted SSRF; Error-based SSRF (true/false); Blind SSRF
• Authorization Bypass, Account Takeover
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (on sensitive actions)
• Broken Authentication / Authorization
• Broken Session flaws
• Business Logical flaws
• Open Redirects (which allow stealing secrets/tokens)

Out-of-scope vulnerabilities

Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any rewards:

• Clickjacking
• Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
• Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
• Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
• Login - Logout cross-site request forgery
• Self XSS
• Presence of server/software banner or version information
• Stack traces and Error messages which do not reveal any sensitive data
• Third-party API key disclosures without any impact or which are supposed to be open/public.
• OPTIONS / TRACE HTTP methods enabled
• Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
• Missing Cookie Flags (e.g. HttpOnly, secure etc)
• Host Header Injection
• Broken Links (e.g. 404 Not Found page)
• Known public files or directories disclosure (e.g. robots.txt, css/images etc)
• Browser ‘autocomplete’ enabled
• HTML / Text Injection
• Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
• Missing email best practices such as Invalid, incomplete, or missing SPF/DKIM/DMARC records
• Weak CAPTCHA or CAPTCHA bypass (e.g. using browser add-ons)
• Brute force on “Login with password” page
• Account lockout not enforced
• Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
• Rate limit mechanism bypass
• Open redirects unless an additional security impact can be demonstrated.
• Vulnerabilities only affecting users of outdated or unpatched browsers or operating systems.