Contentsquare Security Disclosure Policy

At Contentsquare, we take security and privacy very seriously.

Contentsquare really appreciates your effort to help us build secure products to bring better user experiences on the internet for all.

 

Spotting Security & Privacy issues

If you have discovered a vulnerability within Contentsquare or any other serious security and privacy issues, please send your detailed report to the email security@contentsquare.com.

If the report is valid, we’ll invite you to our bug bounty program on YesWeHack and you’ll be rewarded according to the severity of the finding.

 

Vulnerability Disclosure Policy

Maintaining the security, privacy, and integrity of our products is a priority at Contentsquare. Contentsquare appreciates the work of researchers in order to improve our security and/or privacy posture and we are committed to creating a safe and transparent environment to report vulnerabilities.

If you believe you've found a security bug in our service, we would be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Please adhere to the following steps:

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue (please reach us at security@contentsquare.com)
  • Provide us with a reasonable amount of time to understand, analyze and resolve the issue
  • No vulnerability disclosure to any third-parties, including partial is allowed without formal acknowledgement of Contentsquare staff
  • You must be the first reporter of a vulnerability and the vulnerability must be a qualifying vulnerability
  • You must not be a former or current employee of Contentsquare or one of its contractor
  • You must send a clear textual description of the report along with steps to reproduce the issue (include attachments such as screenshots or proof of concept code as necessary)
  • If you find the same vulnerability several times, please create only one report and eventually use comments. You'll be rewarded accordingly to your findings and the criticality of the asset found vulnerable.

 

Scope

Services that Contentsquare provides or any subdomains on contentsquare.com are in scope. Other domains can be found on the Contentsquare YesWeHack program as they are available.

Qualifying vulnerabilities

  • Remote Code Execution (RCE)
  • SQL Injection
  • Server-Side Request Forgery (SSRF)
  • Stored Cross-Site Scripting (XSS)
  • Cross-site Request Forgery (CSRF) on critical action
  • Insecure Direct Object Reference (IDOR)
  • Broken authentication & session management
  • Exposure of sensitive secrets
  • Subdomain-takeover
  • Privilege escalation (due to mobile SDK)

Non-qualifying vulnerabilities

  • Anything not listed in the qualifying vulnerabilities
  • Attacks requiring physical access to a user's device
  • Exploits that are only possible on Android version 7 and below
  • Exploits that are only possible on IOS version 10 and below
  • Exploits that are only possible on a jailbroken device
  • Lack of code obfuscation
  • Lack of binary protection / jailbreak and root detection / anti-debugging controls
  • Attacks which consider a prerequisite the compromission of the user's device (e.g. by a local malware)
  • Crashing your own application
  • Exploits that are only possible on a rooted/jailbroken device
  • Exploiting a generic Android or iOS vulnerability
  • Any attack requiring a social-engineering step
  • Any hypothetical flaw or best practices (security headers, SPF/DKIM/DMARC records, server or software version exposure, autocomplete attributes, etc) without exploitable POC
  • Component CVE without exploitable POC
  • Login, logout, unauthenticated or low-value CSRF
  • Vulnerabilities affecting users of outdated browsers and platforms
  • Self XSS, reflected XSS and "HTTP Host Header" XSS
  • Open redirect
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Mixed content warnings
  • Brute force / password reuse attacks
  • User enumeration attacks
  • Recently (15 days) disclosed 0-day vulnerabilities
  • Denial of service
  • Missing cookie flags on non-sensitive cookies
  • Attacks requiring physical access to a user's device
  • CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
  • Predictive object ID
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Reports of private IP addresses exposure
  • Clickjacking/UI redressing
  • Lack of code obfuscation
  • Vulnerable version of libraries without demonstrable attack vector
  • Stack traces or disclosure of known public files or directories, (e.g. robots.txt)

 

Rewards

Currently, the scope of our bug bounty program is limited to certain vulnerabilities and scope. However, we are happy to thank everyone who submits out-of-scope vulnerabilities and we reserve the right to reward an out-of-scope vulnerability if there is an important security risk.

Please note that Contentsquare will determine in its discretion whether a reward should be granted and the amount of the reward, but will aim to be fair.