Vulnerability Disclosure Programme

Introduction

Security is core to our values, and we value the input of external security researchers acting in good faith to help us maintain a high standard for the security privacy of our users and systems. This policy sets out our definition of good faith in the context of finding and reporting security vulnerabilities, as well as what you can expect from us in return for your effort, skill, and dedication.

Guidelines

We require that all security researchers to:

• Act in good faith to avoid privacy violations, degradation of our services, disruption to production systems, and destruction of data during security testing (including denial of service);
• Perform research only within the scope set out below;
• Be clear and succinct, a short proof-of-concept link is invaluable;
• Only interact with your own accounts or test accounts for security research purposes. Do not access or modify our data or our users'data, without the explicit permission of the owner; and
• Keep information about any vulnerabilities you’ve discovered confidential between us until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research;
• Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);

Disclosure Policy

Please do not discuss any vulnerabilities (even resolved ones) without express consent from Planky.

Scope

All our external production assets are considered in scope as part of the vulnerability disclosure programme. This includes all applications, network services and systems exposed in any domain owned by Planky as detailed below:

• *.planky.com

Subdomains of planky.com which upon access redirect to 3rd party services should be considered out-of-scope.

In-Scope Vulnerabilities

The vulnerabilities listed here are explicitly eligible for our security program. Common examples include:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Authentication or Authorization Flaws
• Server-Side Request Forgery (SSRF)
• Server-Side Template Injection (SSTI)
• SQL injection (SQLI)
• XML External Entity (XXE)
• Remote Code Execution (RCE)
• Local or Remote File Inclusions

We are interested in reports for all of our software and dependencies especially if it impacts reasonably sensitive user data.

Out-of-Scope Vulnerabilities

The following are considered out of scope for our security program and will not be rewarded:

• Missing best practices in SSL/TLS configuration
• Missing best practices in HTTP headers configuration
• Missing best practices in DNS records
• Policies on presence/absence of SPF/DMARC records.
• Password, email and account policies, such as email id verification, reset link expiration, and password complexity.
• Logout Cross-Site Request Forgery.
• Attacks requiring physical access to a user's device.
• Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible.
• Social engineering of our employees or clients.
• Any physical attempts against our property or data centers.
• Presence of autocomplete attribute on web forms.
• Missing cookie flags on non-sensitive cookies.
• Any access to data where the targeted user needs to be operating a rooted mobile device.
• Missing security headers which do not lead directly to a vulnerability.
• Host header Injection
• Reports from automated tools or scans that haven't been manually validated.
• Presence of banner or version information unless correlated with a vulnerable version.
• UI and UX bugs and spelling mistakes
• Clickjacking on pages with no sensitive actions (e.g. on planky.com)
• Issues only available in self-exploitation scenarios (e.g. self XSS or pasting JavaScript into the browser console)
• Software version disclosure
• Issues affecting third party applications or dependencies used by Planky, unless a significant security impact is proved (i.e. we expect a full exploit)
• Access to information which is intentionally "public"

Rules

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:

• Play by the rules. This includes following this policy any other relevant agreements;
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
• Use only the Official Channels to discuss vulnerability information with us;
• Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
• You should only interact with test accounts you own or with explicit permission from the account holder; and
• Do not engage in extortion.

Exploitation

Security issues discovered in any Planky applications and systems should be explored to the minimum extent possible to demonstrate the presence of the vulnerability.

Sending a report

Please include the following mandatory details:

• Vulnerability description
• Affected component
• Potential impact of the issue
• Encrypted sensitive vulnerability details using our public PGP key available in the security.txt well-known file.

Vulnerability reports should be sent to the security@planky.com email address