StackPath

Our platform of secure edge services is developed in pursuit of our ultimate mission: to make the internet safe. We greatly value the hard work and genius of the internet security research community, and welcome reports of any discovered StackPath platform vulnerability.

If you identify a vulnerability in our platform please notify us right away through the methods outlined in our Vulnerability Disclosure Program. We investigate all reported vulnerabilities and resolve identified issues as quickly as possible. We appreciate your efforts and cooperation avoiding privacy violations, damaging data, or otherwise interrupting or causing a negative impact on any of our services as you conduct your research.

---

Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

---

Guidelines

• Perform research only within scope.
• If you find a vulnerability that exposes customer or employee personal information, Stop testing and report the issue immediately.
• If you gain access to any non-public application or non-public credentials, Stop testing and report the issue immediately.
• Do not purposefully attempt to degrade systems or services during testing.
• Collect and submit all information necessary to demonstrate the vulnerability.
• Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
• Only target your own account and do not attempt to access data from anyone else’s account that you do not expressly own.
• Follow the Bugcrowd “Coordinated Disclosure” rules

---

Focus Areas

• Cross Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Cross-Origin Resource Sharing (CORS)
• Server-side Request Forgery (SSRF)
• XML External Entities (XXE)
• SQL Injection (SQLi)
• Authentication related issues
• Authorization related issues
• Data Exposure
• Redirection attacks
• Remote Code Execution (RCE)
• Clickjacking
• Insecure Deserialization
• Business Logic
• Unauthorized API actions
• Domain takeover
• Web Application Firewall (WAF)
• Application Denial of Service (L7 DoS)
• Clever vulnerabilities that do not fall into the above categories

---

Excluded Submission Types

• Issues determined to be low impact
• Tenant/cloud systems where StackPath is simply acting as the site host
• Security vulnerabilities in third-party products or websites that are not under StackPath's direct control
• Vulnerability reports which do not include careful manual validation
• Reports based only on results from automated tools and scanners
• Theoretical attack vectors without proof of exploitability
• Any customer hosted systems or services
• Social engineering and physical attacks
• Missing or incorrect SPF/DMARC/DKIM records
• Abandoned CNAME records are excluded unless there is an existing link from a company resource to the invalid CNAME
• Clickjacking reports against unauthenticated pages and/or static content resources
• POST based Reflected XSS / Self XSS
• Vulnerabilities which send unsolicited bulk messages (spam)
• Denial of Service attacks that require large volumes of data

Third-party websites

Researchers will be encouraged to contact the third-party maintainers directly.

---