As part of our commitment to data protection and security, Beamer has put in place a Bug Bounty Program to ensure any security concern is reported and security researchers are rewarded for their findings. If you are a security researcher, please find below our Bug Bounty Program guidelines.
You can learn more about Beamer’s policies and commitment with security here:
- You must use your own Beamer account when researching bugs. Using third-party accounts without consent is strictly prohibited.
- Automated tests are not allowed
- Bugs and security concerns should be addressed to firstname.lastname@example.org
- Each bug will be treated separately even if reported with other bugs
- You should be the first person to report the bug to be entitled for a reward. Duplicate reports will not have compensation rights, unless additional information is provided.
- Compensation will be based on the severity of the bug finding.
- Bug Bounty rewards will be paid by PayPal in U.S. dollars after the bug is fixed.
- Security research should be conducted following industry standards and no legal actions should be initiated against security researchers, as long as they comply with this policy and guidelines.
- A new bug is reported through email@example.com
- The report should be detailed enough to be able to recreate the issue.
- Screenshots, videos or GIFs should also included as proof of the issue.
- Make sure bugs are not related to cached data and perform several tests with the same result before reporting it.
- Once the report is received we will check if the bug has already been reported or if it is already being fixed. If not, we will determine the severity of the bug based on the guidelines below, communicate the reward and keep you posted on the resolution.
- Once the bug is fixed, we will reward the reporter through PayPal.
Bounty rewards are subject to assessment, depending on the severity of the report and the impact on users.
|Bug Severity tier
Bug severity tiers are described below:
- Remote Code Execution
- SQL Injection
- SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
- Privilege Escalation affecting all accounts
- Broken Authentication affecting all accounts
- Information leaks or disclosure of customer data
- Broken Authentication affecting a single account
- Privilege Escalation affecting a single account
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- SSRF to an internal service, hosted by Beamer
- Information leaks or disclosure (including customer data)
- “Tab-Nabbing” or other rel=”noopener” bugs
- Mixed content issues
- Server misconfiguration or provisioning errors
The following bugs are unlikely to be eligible for a bounty reward:
- Denial of Service attacks
- Brute Force attacks
- “Advisory” or “Informational” reports that do not include any Beamer-specific testing or context
- Issues found through automated testing
- “Scanner output” or scanner-generated reports
- Publicly-released bugs in internet software within 3 days of their disclosure
- Spam or Social Engineering techniques, including:
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Content Spoofing
- Vulnerabilities requiring physical or remote access to the victim’s unlocked device
- Issues relating to Password Policy
- Full-Path Disclosure on any property
- Version number information disclosure
- Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
- CSRF-able actions that do not require authentication (or a session) to exploit
- Reports related to the following security-related headers:
- Strict Transport Security (HSTS)
- XSS mitigation headers (X-Content-Type and X-XSS-Protection)
- Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Bugs that do not represent any security risk – these should be reported to firstname.lastname@example.org
- Security bugs in third-party applications or services built on the Beamer API – please report them to the third party that built the application or service