Last modified September 29th, 2021
We are dedicated to maintaining the security and privacy of the Somera services and customer data. We welcome security researchers from the community who want to help us improve our products and services.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
If you discover a security vulnerability, please give us the chance to fix it by emailing us at firstname.lastname@example.org and please provide detailed reports with reproducible steps. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.
Thank you for your work and interest in making the community safer and more secure!
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- You must comply with these rules when discovering the vulnerability and submitting the vulnerability report.
- All user data gathered in the attack phase has to be anonymised in report and deleted from your laptop etc.
- Somera is not legally obliged to pay you any bounty.
- We will ban you if you do any of the below.
- NEVER attempt to gain access to another user's account or data.
- NEVER attempt to degrade the services.
- NEVER impact other users with your testing.
- Do not use fuzzers, scanners, or other automated tools to find vulnerabilities.
- Huge scans using automated tools are strictly prohibited. If your tests have a negative impact on an element of our platform, we can take action to block your IP address without further notice. If you still do a prohibited actions on our platform, we will ban you. In some cases we might take a legal action on you.
The following types of reports/attacks are out of scope. Do not attempt them:
- DOS attacks
- Brute force attacks
- Physical vulnerabilities
- Social engineering attacks, including but not limited to:
- email auth (SPF, DKIM, etc.)
- hyperlink injection in emails
- CSRF on forms that are available to anonymous users (e.g., signup, login, contact, Intercom)
- Self-XSS and issues exploitable only through self-XSS
- Clickjacking and issues only exploitable through clickjacking
- Functional, UI and UX bugs and spelling mistakes
- Descriptive error messages (e.g. stack traces, application or server errors)
- HTTP 404 codes/pages or other HTTP error codes/pages
- Banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Presence of application or web browser "autocomplete" or "save password" permission
- User enumeration on login
- Absence of rate limits
WHAT IS FORBIDDEN
- Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit authorization from Somera
- Disclosing the contents of any submission without explicit authorization from Somera
- Accessing private information of any person stored on a product of Somera or service – you must use test accounts
- Accessing sensitive information (e.g. credentials)
- Performing actions that may negatively affect Somera or its customers (e.g. Spam, Brute force, Denial of Service) if you see that your test impact on Somera you must stop them and inform us about that
- Conducting any kind of physical attack on Somera's personnel, property or data centers
- Social engineering (e.g. phishing, vishing, smishing) any Somera's help desk, employee or contractor or user
- Conduct vulnerability testing of participating services using anything other than test accounts
- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability
- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities