Our mission with SplashID Safe is keeping customer information confidential — your information needs to be kept your own, secure and private. Over the past decade, we have worked with our community of users and with security researchers to improve SplashID Safe's security. We recognize security is an ongoing process, and we need to constantly evolve to meet new threats. We appreciate all security concerns reported to us, and we value feedback. If you feel you have found a potential security issue with SplashID Safe, please let us know. When reporting potential issues, please be as thorough as you can in providing enough detail so that we can recreate your finding. We will respond as soon as we can. Once you have submitted a security concern, we may follow up with you to get additional information. Once we have validated a concern and implemented a fix, we will thank you for your assistance and also recognize you if you would like.
Before you begin, please read and understand the Standard Disclosure Terms.
In scope for this bounty
- https://www.splashid.com/login (only SplashID Safe Personal Edition)
- SplashID Safe for iOS
- SplashID Safe for Android
- SplashID Safe for BlackBerry
- SplashID Safe for Windows
- SplashID Safe for Mac
- Exclude https://www.splashid.com/teams/login
- Major vulnerabilities - SQL injection, cross site scripting, cross site request forgery, broken authentication, remote code execution (RCE), privilege escalation, provisioning errors
- Anything that compromises a user’s session or provides access to customer data
- Individual SplashID Safe applications as well as web accounts (Mobile apps - iOS / Android / BlackBerry, Desktop apps - Windows, Mac OS, Web accounts at www.splashid.com
Out of scope
- SplashID Safe for Teams
This bounty follows Bugcrowd’s standard disclosure terms.
Program Specific Rules:
- You may create a test account with the following limits: two regular accounts and one SplashID Safe for Teams account with no more than three users
- Test record creation is limited to a maximum of 50 records
- No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner)
- Scripted / API tests must be rate limited to 1 request per second
- Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU
- No DOS/DDOS tests
Vulnerabilities which will NOT be rewarded:
- URL redirection
- Clickjacking and issues only exploitable through clickjacking.
- Banner/version disclosure
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Full Path and known public files or directories disclosure
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- CSRF on logout functionality
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure and HTTPOnly cookie flags.
- SSL weaknesses (e.g. Insecure ciphers / older protocols)
- Social engineering
- Missing account lockout enforcement
- Bugs specific to unsupported browsers/plugins
- Bugs that rely on impractical user action
This bounty requires explicit permission to disclose the results of a submission.