Socrata helps public sector organizations improve transparency, citizen service, and data-driven decision-making. Our user-friendly solutions deliver data to governments trying to reduce costs, to citizens who want to understand how their tax dollars are used, and to civic hackers dedicated to creating new apps and improving services.
We take the security of our systems seriously, and we value the security researcher community. The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users and makes the Web a safer place for all.
Because our platform is built for data sharing it is worthwhile for researchers to familiarize themselves with the account permission models in place and especially with our Socrata Query Language (SoQL).
- We strictly prohibit usage of Automated scanners - we have our own DAST :)
- All testing should be limited to 0700-1800 PDT (GMT -7) - this helps our on-call staff stay sane :)
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
- Perform research only within the scope set out below
- Use the identified communication channels to report vulnerability information to us
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Socrata
If you follow these guidelines when reporting an issue to us we commit to:
- Not institute a civil legal action against you and not support a criminal investigation
- Work with you to understand and resolve the issue quickly (confirming the report within one week of submission)
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue
- Thank you for participating and happy hunting!
To be eligible for a reward, your submission must include clear reproduction steps and provide details around exploitability and impact. Including screenshots or providing a video is helpful as well.
Scope and rewards
|Technical severity||Reward range|
|p1 Critical||$2,100 - $2,500|
|p2 Severe||$1,000 - $1,250|
|p3 Moderate||$450 - $600|
|p4 Low||$150 - $200|