Bug Bounty Program

Help us to keep Beamer secure and in top form

As part of our commitment to data protection and security, Beamer has put in place a Bug Bounty Program to ensure any security concern is reported and security researchers are rewarded for their findings. If you are a security researcher, please find below our Bug Bounty Program guidelines.

You can learn more about Beamer’s policies and commitment with security here:

Program Guidelines.

  1. You must use your own Beamer account when researching bugs. Using third-party accounts without consent is strictly prohibited.
  2. Automated tests are not allowed
  3. Bugs and security concerns should be addressed to bugbounty@getbeamer.com
  4. Each bug will be treated separately even if reported with other bugs
  5. You should be the first person to report the bug to be entitled for a reward. Duplicate reports will not have compensation rights, unless additional information is provided.
  6. Compensation will be based on the severity of the bug finding.
  7. Bug Bounty rewards will be paid by PayPal in U.S. dollars after the bug is fixed.
  8. Security research should be conducted following industry standards and no legal actions should be initiated against security researchers, as long as they comply with this policy and guidelines.

Bounty Process

  1. A new bug is reported through bugbounty@getbeamer.com
    • The report should be detailed enough to be able to recreate the issue.
    • Screenshots, videos or GIFs should also included as proof of the issue.
    • Make sure bugs are not related to cached data and perform several tests with the same result before reporting it.
  2. Once the report is received we will check if the bug has already been reported or if it is already being fixed. If not, we will determine the severity of the bug based on the guidelines below, communicate the reward and keep you posted on the resolution.
  3. Once the bug is fixed, we will reward the reporter through PayPal.

Reward Matrix

Bounty rewards are subject to assessment, depending on the severity of the report and the impact on users.

Low quality bugs may not qualify to reward or could be assessed below the lowest tier.

Bug Severity tierReward
Critical$200
High$100
Moderate$50
Low$25

Bug severity tiers are described below:

Severity: Critical

  • Remote Code Execution
  • SQL Injection
  • SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
  • Privilege Escalation affecting all accounts
  • Broken Authentication affecting all accounts

Reward: $200

Severity: High

  • Cross-site scripting (XSS)
  • Information leaks or disclosure of customer data

Reward: $100

Severity: Moderate

  • Broken Authentication affecting a single account
  • Privilege Escalation affecting a single account
  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • SSRF to an internal service, hosted by Beamer
  • Information leaks or disclosure (including customer data)

Reward: $50

Severity: Low

  • “Tab-Nabbing” or other rel=”noopener” bugs
  • Mixed content issues
  • Self-XSS (XSS requiring interaction other than browsing to exploit)
  • Server misconfiguration or provisioning errors

Reward: $25

Exclusions.

The following bugs are unlikely to be eligible for a bounty reward:

  • Denial of Service attacks
  • Brute Force attacks
  • “Advisory” or “Informational” reports that do not include any Beamer-specific testing or context
  • Issues found through automated testing
  • “Scanner output” or scanner-generated reports
  • Publicly-released bugs in internet software within 3 days of their disclosure
  • Spam or Social Engineering techniques, including:
    • SPF and DKIM issues
    • Content injection
    • Hyperlink injection in emails
    • IDN homograph attacks
    • RTL Ambiguity
  • Content Spoofing
  • Vulnerabilities requiring physical or remote access to the victim’s unlocked device
  • Issues relating to Password Policy
  • Full-Path Disclosure on any property
  • Version number information disclosure
  • Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Reports related to the following security-related headers:
    • Strict Transport Security (HSTS)
    • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
    • X-Content-Type-Options
    • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Bugs that do not represent any security risk – these should be reported to support@getbeamer.com
  • Security bugs in third-party applications or services built on the Beamer API – please report them to the third party that built the application or service

Your Data Security and Privacy is our Priority.

At Beamer, we care about our customers’ data and this is how we protect it.

Read our Terms of Service

vpn_key Data Ownership

Your account and data belongs to you and will not be sold in any case. We can delete your account and data upon your request. Learn more chevron_right

lock Encryption

Beamer data is encrypted in transit (advanced TLS protocols and 2,048-bit keys or better) and at rest (using AES 256 encryption with integrity).

dns Access

Customer data is always backed up and uptime is over 99.9%.

workspace_premium GDPR

Beamer is GDPR Compliant and has the Data Processing Agreements in place. Learn more chevron_right

bug_report Penetration testing

Third party network, application and physical security tests are conducted regularly. Learn more chevron_right

Keep your users in the know!