We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Smartsheet. Every day new security issues and attack vectors are created. Smartsheet strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Targets

In scope

Additional Information

  • Only app.smartsheet.com/, api.smartsheet.com/ domains are in scope.
  • www.smartsheet.com is out of scope
  • Automated scanners MUST BE single threaded / rate limited

Accessing the target:

  • Create a trial account at https://app.smartsheet.com/b/signup
    • You must use your username@bugcrowdninja.com email address
  • Signup for a Developer account through https://www.smartsheet.com/developers/register
    • This will allow you to create multiple accounts to test account integrity,etc

Focus Areas:

  • Account Takeovers (do not test against customer accounts)
  • Customer information disclosure and manipulation

Out of Scope

  • Phishing
  • DoS, dDoS testing

The following finding types are specifically excluded from the bounty:

  • Executables as attachments
  • XSRF ( is excluded from these 2 urls: https://app.smartsheet.com/b/publish and https://app.smartsheet.com/b/embed)
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Redirect while opening links outside of authentication flows
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Self XSS
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
    • via Import Users functionality
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.
As a condition of participation in this program, you hereby grant Smartsheet, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheetin connection therewith, for any purpose.

You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.