Directly invites you to test their primary webapp and any other discoverable subdomains or attack surface that's part of *.sandbox.directly.com. Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.
Please note that Directly is only looking for sandbox environment issues (nothing in production). If you go into production sites, your IP may get banned.
Thanks again for making Directly a safer place for our customers and experts by disclosing security issues responsibly! Good luck and happy hunting!
For initial ratings, this program will use the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$2,000 - $2,500|
|p2 Severe||$1,000 - $1,500|
|p3 Moderate||$500 - $750|
|p4 Low||$250 - $300|
Out of scope
Any domain/property of Directly not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
This is the primary point of focus for testing - which mirrors the production version of our app, but also provides a safer place to test in. Given that this is available for testing - please DO NOT perform any testing against the production version of the app.
Fundamentally, Directly is an app that crowd-sources customer service - wherein customers crowd-source questions to power users by offering bounties on answering questions. Researchers are encouraged to self-provision as they're able, and to and test whatever functionality one can access (excepting functionalities specifically listed as out-of-scope).
As the scope infers, you're free to test any subdomain of *.sandbox.directly.com that you're able to find - provided it isn't listed as out of scope. Please be aware that it is especially important that researchers do not submit requests to salesforce via *.sandbox.directly.com/schedule-a-demo/
To register on our test environment, please visit https://area-51.sandbox.directly.com/apply and click apply now. Feel free to fill out the registration information and application however you'd like. You'll need to fill out all mandatory fields, including a profile picture. Once you've created an account, then you can go to https://app.sandbox.directly.com/login/auth to authenticate with your new set of credentials.
To access the main function of the site, which is asking questions of experts, you can visit this page: https://directly.github.io/demosite/qa/rtm/sandbox.html. Asking questions here populates the area-51 with your questions for further testing. Note! It is imperative that you visit the ask a question page in a separate browser so the question is not asked by your current account. This way, you'll be able to communicate to an unauthenticated user.
Security of user data and communication is of the utmost importance to Directly. In pursuit of the best possible security, we welcome responsible disclosure of any vulnerability you find. Principles of responsible disclosure include:
- Do not extract data from our infrastructure (including customer data, source code, data backups, configuration files).
- If you obtain access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
- Avoid scanning techniques that are likely to cause degradation of service to customers (e.g. by overloading the site). This includes the spamming of contact forms, support emails, Wordpress hits, etc.
- Keep details of vulnerabilities secret for at least 60 days such that Directly has had a reasonable amount of time to remediate the vulnerability.
Out of Scope:
- .directly.com/schedule-a-demo/ OR /product/* OR /careers/* OR /about/* OR /legal/* OR /trust/* (these are our WPEngine hosted marketing site)
- resources.directly.com/* (this is a hubspot blog)
- It is especially important that researchers do not submit requests to salesforce via *.directly.com/schedule-a-demo/
- Any Wordpress related URLs (wp-content, wp-includes, etc.)
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via firstname.lastname@example.org before going any further.