Vulnerability Disclosure Policy

Bug Bounty Program

Saasu values and appreciates the contributions from the cybersecurity community in improving and maintaining our systems to meet cybersecurity standards. We review and accept reports by the community submitted by following the criteria listed below. Saasu will not respond to any vulnerability reports from the exclusions list or vulnerabilities that have been reported previously.

Please do not publish any reported vulnerabilities for Saasu domains.

Scope

Reports submitted to Saasu for https://secure.saasu.com are in scope and will be accepted for evaluation.

Exclusions

Saasu retains the right to determine whether to accept a report submitted as a vulnerability disclosure.

Saasu will reject reports where you:

  • Create multiple free trial accounts programatically or otherwise. We do this because you in turn trigger volumes of email, sms’s, marketing activities, sales actions and service team followups off the back of that. If you cannot assess our system with a limit of a few trial files we ask that you not seek bounties from Saasu.
  • Perform rate limit tests where you have not been considerate in approach. i.e. test small in tight time frames (10 events in <200ms) to reduce volume and cost impacts on our services like email, sms, account creation and related sales and marketing activities.
  • Harass our support staff for updates. We have an internal process for the support team to raise a ticket for the development team to review and qualify submissions. This can take some time and is often prioritised after their scheduled workload. The support team is unable to provide you with any further information until the development team completes their review, and sending multiple emails asking for updates creates greater strain on our support team whose first priority is our paying customers.
  • Harass our accounting staff for payment, request updates on payment, fail to invoice as requested or any other unprofessional behaviour. Allow four weeks minimum for payment processing even though, at times, they may be paid within days.
  • Identify minimal security impact or low exploit-ability, vulnerabilities beyond Saasu’s control, vulnerabilities discoverable through automated scans which have not been verified manually, vulnerabilities already reported or vulnerabilities related to a violation of the program requirements.

Out of scope vulnerabilities

  1. Vulnerabilities demonstrated where the attacker has direct access to the victim’s device for demonstration purposes eg: direct access to cookies
  2. Click-jacking on pages with no sensitive actions;
  3. CSRF without a demonstrated vulnerability;
  4. Password and account recovery policies, such as reset link expiration or password complexity;
  5. Presence of autocomplete attribute on web forms;
  6. Username/user id enumeration;
  7. Vulnerabilities only affecting outdated or unpatched browsers;
  8. SSL/TLS configurations without a demonstrated vulnerability;
  9. Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure;
  10. Denial of service or resource exhaustion;
  11. Missing HTTP-only or secure cookie flags unrelated to a vulnerability;
  12. Missing security headers unrelated to a vulnerability;
  13. Attacks against network and security infrastructure; and
  14. Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC).

Program Requirements

Saasu would not pursue legal action against participants who:

  1. Submit in-scope reports and engage in testing/research of systems without harming Saasu, its customers, employees, or third parties.
  2. Do not compromise the privacy of Saasu’s customers, employees, or other individuals by accessing personal information as an example.
  3. Do not conduct social engineering, spam, or phishing attacks.
  4. Do not test the physical security of any property of Saasu or third parties.
  5. Do not conduct denial-of-service or resource-exhaustion attacks.
  6. Comply with applicable criminal laws.
  7. Adhere to other applicable laws.

You agree that Saasu may disclose the information in a report you submit through this website. Saasu will consider any request from a researcher to make a disclosure but reserves the right to deny such requests.

How to Submit a Report

To submit a report to Saasu, please email the report to service@saasu.com accepting the disclousure guidelines in this policy by including the sentence “I have read and agree to the vulnerability disclosure policy and terms outlined by Saasu.”

Expectations for Researchers:

  1. Well-written reports in English will have a higher chance of faster response and resolution;
  2. Reports that include proof-of-concept code enable Saasu to better understand and triage the submitted information;
  3. Reports that include only output from programs may receive lower priority;
  4. Participating in this program does not give you any right to intellectual property owned by Saasu or a third party;
  5. Do not report the same vulnerability more than once (e.g. same vulnerability for different entities, fields, interfaces) for Saasu domains.
  6. Please include how you found the vulnerability; if possible include any potential remediation(s); and
  7. Please do not include any personal information.
  8. Account takeovers requiring a victim to be social engineered or an attacker to gain access to their mobile or email are not considered account takeovers.

How Saasu pays a bounty

We pay bounties in AUD via PayPal.

  1. Invoice Saasu Pty Ltd for the amount notified in the legal name that is to be paid.
  2. Include your PayPal payment email address in the invoice.
  3. Do not charge fees or an amount that differs to the exact bounty as accounts will not process the request.
  4. We send payment via PayPal within 5 business days.