As a provider of products and services for many users across the Internet, Pabbly recognizes how important it is to help protect the privacy and security of our Customer Data. We understand that secure delivery of our Services is instrumental in maintaining the trust customers place in us and we strive to create innovative products that both serve our customers’ needs and operate in our customers’ best interest. Keeping Customer Data safe and secure is a top priority for Pabbly and a core company value. This is in keeping with Pabbly’s commitment to Privacy and Security by Design and Default.
Maintaining the security of our Services is paramount at Pabbly. We believe responsible disclosure of any security vulnerabilities identified by security researchers is an essential part of that commitment. Responsible disclosure requires mutual trust, respect, and transparency between all members of the security community. Together, we can achieve our common goal.
The security research community regularly makes valuable contributions to the security of organizations and the broader Internet. Pabbly recognizes that fostering a close relationship with the security research community will help improve our own security. When participants in our programs have information about a vulnerability in a Pabbly web application or Service, we welcome the submission of their findings.
Guidelines
Prior to reporting, please review the following information including our vulnerability disclosure program, scope, and other guidelines. To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
Follow this Disclosure Program, as well as any other relevant agreements
Do not cause any harm, hinder application fluency or act against our Terms of Use Agreement
Do not intentionally access non-public Pabbly data anymore than is necessary to demonstrate the vulnerability.
Do not access, modify, destroy, save, transmit, alter, transfer, use or view data belonging to anyone other than yourself. If a vulnerability provides unintended access to data, please cease testing, purge local information, and submit a report immediately.
Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
Do not compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.
Uncoordinated public disclosure of a vulnerability may result in disqualification from this program.
Use only the official channels designated (see “Reporting”) to discuss vulnerability information with us
Examples of Qualifying Vulnerabilities
Authentication flaws
Circumvention of our Platform/Privacy permissions model
Cross-site scripting (XSS)
Server-side code execution.
Brute-force/Rate-limiting/Velocity throttling, and other denial of service based issues.
Clickjacking / CORS / CSRF/ Content Security Policy/ Socket hijacking.
Examples of Non-Qualifying Vulnerabilities
Cookie flags/Strict Transport Security.
SPF, DKIM and DMARC issues.
Possibilities to send malicious links to people you know.
Mobile issues that require a Rooted or Jailbroken device.
XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing
Reports from automated tools or scans.
Denial of Service vulnerabilities (DOS).
Possibilities to send malicious links to people you know.
Security bugs in third-party websites that integrate with Pabbly.
Mixed-content scripts on pabbly.com
Insecure cookies on pabbly.com
Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible.
Out of Scope
https://pabbly.hellonext.co
https://forum.pabbly.com
Rewards
Our reward system is flexible and doesn’t have any strict upper or lower limit. This means particularly creative or severe bugs will be rewarded accordingly. The amount will exclusively depend on the severity of the vulnerability, and who reports first. So we might deny the vulnerability reported if it has already been reported by someone else.
Rewards will be sent using Paypal once the vulnerability has been fixed. These services collect a fee for processing the transaction, which gets deducted from the amount awarded.
Your findings should be supported by clear and precise documentation with no speculative information. All findings should have an indication of relevance and impact. Remember to provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during the discovery that will allow us to reproduce the vulnerability.
In reporting, please include the following information -
Vulnerable URL – the endpoint where the vulnerability occurs;
Vulnerable Parameter – if applicable, the parameter where the vulnerability occurs;
Vulnerability Type – the type of vulnerability;
Steps to Reproduce – step-by-step information on how to reproduce the issue
Screenshots or Video – a demonstration of the attack; and
Attack Scenario – an example attack scenario may help demonstrate the risk and get your issue resolved faster.
Timeline
We answer all submissions within a few days. Timelines for fixes will vary with the severity of the vulnerability and availability of engineering resources to address it.
We do our best to stay within these timelines, but resource availability and other priorities sometimes make us take a bit longer than these. If we are going to take longer, we'll update you and let you know.
Please don't email us repeatedly for a status update. We won't reply to those requests, and will only reply when we have something to tell you. We promise to be in touch as we triage your submissions.