Confirmit Vulnerability Reporting Policy

This document gives general guidelines on finding and disclosing vulnerabilities regarding Confirmit's applications and services.

Services in scope

  • Main website: www.confirmit.com
  • SaaS sites: *.euro.confirmit.com, *.us.confirmit.com, *.confirmit.com.au, *.confirmit.ca, *.confirmit.de
  • Applications distributed by Confirmit from our company webpages, Google Play and Apple AppStore

Services not in scope

  • Installations of Confirmit software on servers not operated by Confirmit.
  • Other sites which are not operated by Confirmit such as: learning.confirmit.com and ok.confirmit.com.
  • Third party services used on www.confirmit.com, learning.confirmit.com, extranet.confirmit.com, www.confirmit.ru.

Rules of engagement

Due to legal agreements with our clients, performing security scans on our SaaS environments is not permitted. We still welcome observations made through normal usage of our applications as well as reports on unexpected behavior. If you obtain data or personal identifiable information without authorization you are required to delete all instances of the data, logically and in some cases physically. You are kindly requested to inform us of this. We request the following from you:

  • You give us, and where relevant our clients, reasonable time to investigate and mitigate findings before sharing any information with others.
  • You do not exploit a security vulnerability for any reason. We will assess the full possible impact of the finding ourselves.
  • Confidentiality of any details of the vulnerability must be strictly maintained. Publicly disclosing the particulars of the vulnerability, such as how and where it was found or how it can be exploited, is forbidden.
  • You do not target other users, respondents or companies without authorization.
  • Stress testing/denial of service (DoS or DDoS) is not allowed.
  • Automated scanning for software vulnerabilities is not allowed.
  • You may only access the minimum amount of pages/records needed to verify the finding. Accessing further records, scripted or not, is not allowed
  • Once you have sufficient proof of a vulnerability do not proceed to exploit further but send us proof of what you have found/achieved.
  • Critical vulnerabilities such as data loss/leakage/destruction, RCE and SQL Injection should be reported immediately. Other findings can be reported collectively in a single report.

Qualifying vulnerabilities

Examples include SQL injection, RCE, XSS, CSRF, Authentication flaws, missing authorization, Server-side code execution.

Non-qualifying vulnerabilities

Confirmit’s flexible platform enables our clients to generate their own content within surveys and reports. As this content is not maintained or owned by Confirmit we can only share findings on such content with our clients, we can’t guarantee remediation nor timelines nor communication on behalf of our clients.

Other non-qualifying vulnerabilities include, but are not limited to

  • Lack of user self-management in password protected surveys.
  • Lack of observable rate limiting/throttling mechanism.
  • Bugs requiring the use of browsers that are not on our supported browser list for that application.
  • Bugs requiring user to disable security features or perform unlikely actions.
  • Clickjacking/UI redressing with no practical security impact.
  • Findings on vulnerabilities that pose no effective risk that can be proven. For example lacking the secure flag on a cookie scoped to a HSTS domain and missing flags in non-sensitive cookies.
  • SPF, DMARC, DKIM and DNS settings.

Reporting

Send your reports to vulnerabilityreport@confirmit.com. Please use https://www.confirmit.com/.well-known/pgpkey.txt to encrypt your report.

For vulnerabilities on SaaS systems, your report should include surveyid/projectid, reportid or similar if applicable.

Vulnerabilities with a common root cause or duplicated across multiple servers/domains counts as a single finding. If there are multiple instances of what appears to be the same vulnerability, please list them all in one report.

Bug Bounty

We do reward valid reports on actual vulnerabilities on systems in scope. Most bounties will be awarded in the form of online gift cards or online payment (e.g. Paypal). No employment is implied by reporting vulnerabilities or receiving bounties. US-based researchers may be required to provide additional information required by Confirmit to meet federal taxation regulations, prior to receiving any awards.

Valid, in scope, vulnerabilities are typically rewarded as follows:

  • Findings on our SaaS sites, *.euro.confirmit.com, *.us.confirmit.com, *.confirmit.com.au, *.confirmit.ca, *.confirmit.de and applications distributed by Confirmit: $100-$1000
  • Findings on www.confirmit.com, extranet.confirmit.com, www.confirmit.ru and other in-scope *.confirmit.com domains: $50-$250
  • The reward amount will be commensurate with risk, impact and scope, as determined by Confirmit's Information Security Team.
  • Only the first reporter will be recognized.
  • The same vulnerability, which may exist on more than one URL/URI, will be counted as a single finding, however wide-spread proliferation of a vulnerability may play a role in increasing the reward amount.

Note: Confirmit reserves the right to alter this policy at its discretion at any time, effective immediately.