Security Vulnerability Disclosure

As a provider of products and services for many users across the Internet, Pabbly recognizes how important it is to help protect the privacy and security of our Customer Data. We understand that secure delivery of our Services is instrumental in maintaining the trust customers place in us and we strive to create innovative products that both serve our customers' needs and operate in our customers' best interest. Keeping Customer Data safe and secure is a top priority for Pabbly and a core company value. This is in keeping with Pabbly's commitment to Privacy and Security by Design and Default.

Maintaining the security of our Services is paramount at Pabbly. We believe responsible disclosure of any security vulnerabilities identified by security researchers is an essential part of that commitment. Responsible disclosure requires mutual trust, respect, and transparency between all members of the security community. Together, we can achieve our common goal.

The security research community regularly makes valuable contributions to the security of organizations and the broader Internet. Pabbly recognizes that fostering a close relationship with the security research community will help improve our own security. When participants in our programs have information about a vulnerability in a Pabbly web application or Service, we welcome the submission of their findings.

Guidelines

Prior to reporting, please review the following information including our vulnerability disclosure program, scope, and other guidelines. To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:

• Follow this Disclosure Program, as well as any other relevant agreements.
• Do not cause any harm, hinder application fluency or act against our Terms of Use Agreement.
• Do not intentionally access non-public Pabbly data anymore than is necessary to demonstrate the vulnerability.
• Do not access, modify, destroy, save, transmit, alter, transfer, use or view data belonging to anyone other than yourself. If a vulnerability provides unintended access to data, please cease testing, purge local information, and submit a report immediately.
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
• Do not compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.
• Public disclosure of vulnerabilities before they are acknowledged, validated, and fixed by our security team is not permitted. Researchers are expected to follow responsible disclosure and report findings only through the official reporting channels. Premature or uncoordinated disclosure may result in disqualification from the program and forfeiture of any bounty.
• Use only the official channels designated (see "Reporting") to discuss vulnerability information with us.
• Threatening of any kind will automatically disqualify you from participating in the program.
• Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
• Vulnerability disclosure communications with Pabbly's Security Team are to remain confidential and private. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the vulnerability reported is closed.
• Must contain sufficient information, including a proof of concept screenshot, video, or code snippet where needed and whenever asked.

Examples of Qualifying Vulnerabilities

• Authentication flaws
• Circumvention of our Platform/Privacy permissions model
• Cross-site scripting (XSS)
• Server-side code execution.
• Brute-force/Rate-limiting/Velocity throttling, and other denial of service based issues.
• Clickjacking / CORS / CSRF/ Content Security Policy/ Socket hijacking.

Examples of Non-Qualifying Vulnerabilities

• Cookie flags/Strict Transport Security.
• SPF, DKIM and DMARC issues.
• Possibilities to send malicious links to people you know.
• Mobile issues that require a Rooted or Jailbroken device.
• XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing
• Reports from automated tools or scans.
• Denial of Service vulnerabilities (DOS).
• Possibilities to send malicious links to people you know.
• Security bugs in third-party websites that integrate with Pabbly.
• Mixed-content scripts on pabbly.com
• Insecure cookies on pabbly.com
• Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible.

Out of Scope

• https://pabbly.hellonext.co
• https://forum.pabbly.com

Rewards

Our reward system is flexible and does not have any strict upper or lower limit. While a reward of up to $50 may be granted for an eligible vulnerability report, the actual bounty is not guaranteed and is determined solely at our discretion. The final reward amount depends on the severity, impact, and originality of the vulnerability, as well as whether it was reported first. We reserve the right to deny a report if the vulnerability has already been disclosed by another party. All final decisions regarding eligibility and bounty amounts rest with our team.

Rewards will be issued via PayPal only after the vulnerability has been fixed, and any transaction or processing fees charged by the service provider will be deducted from the awarded amount.

Report Vulnerability

Please submit your report at click here: https://forms.pabbly.com/form/share/DPHw-722603307

Your findings should be supported by clear and precise documentation with no speculative information. All findings should have an indication of relevance and impact. Remember to provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during the discovery that will allow us to reproduce the vulnerability.

In reporting, please include the following information -

• Vulnerable URL – the endpoint where the vulnerability occurs;
• Vulnerable Parameter – if applicable, the parameter where the vulnerability occurs;
• Vulnerability Type – the type of vulnerability;
• Steps to Reproduce – step-by-step information on how to reproduce the issue
• Screenshots or Video – a demonstration of the attack; and
• Attack Scenario – an example attack scenario may help demonstrate the risk and get your issue resolved faster.

Timeline

We answer all submissions within a few days. Timelines for fixes will vary with the severity of the vulnerability and availability of engineering resources to address it.

We do our best to stay within these timelines, but resource availability and other priorities sometimes make us take a bit longer than these. If we are going to take longer, we'll update you and let you know.

Please don't email us repeatedly for a status update. We won't reply to those requests, and will only reply when we have something to tell you. We promise to be in touch as we triage your submissions.