Data security is a top priority for bipp. We’re building a BI platform that’s designed to scale as data volumes grow and data demands increase. End-to-end data security is a company-wide priority, with staff policies, industry certification and highly customizable controls helping ensure our customers' data is safe.

As part of our commitment to security, bipp believes that working with skilled security researchers can identify weaknesses in any technology. We encourage the security community to help disclose security vulnerabilities to us in a responsible way.

Disclosure Policy

  • If you believe you've discovered a potential vulnerability, please let us know by filling the form here or by emailing us at security@bipp.io. We will acknowledge the same within three working days.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the bipp service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
  • We will notify you when the vulnerability is fixed, and reward you for identifying the issue

Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of bipp employees or contractors
  • Any attacks against bipp’s physical property or data centers

Thank you for helping to keep bipp and our users safe.

Examples of Qualifying Vulnerabilities

  • Flaws in Authentication/Authorization flow
  • Issues leading to evasion of the privilege/permissions model
  • Clickjacking
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • SQL injection
  • Server-side code execution

Examples of Non-Qualifying Vulnerabilities

  • Denial of Service (DOS)
  • DMARC, SPF and other DNS records related issues
  • Possibilities to send malicious links to people you know
  • Security bugs in third-party websites that integrate with Bipp
  • Insecure cookies
  • Flaws affecting the users of out-of-date browsers
  • User/email enumeration and brute force attacks unless it is demonstrated that rate limiters are not in place

We are most interested in vulnerabilities with app.bipp.io and bipp.io. Other subdomains of Bipp are generally not eligible for rewards unless the reported vulnerability somehow affects app.bipp.io or Bipp user data.

Rewards

  • Only 1 reward will be awarded per vulnerability. However, vulnerabilities arising out of the same issue may be combined together while considering for reward.
  • In case the same vulnerability is reported by multiple persons, only the person offering the first clear report will receive a reward.
  • Rewards are based on severity, impact, and report quality. Our security team must be able to reproduce the issue from your report.
  • Reports that are vague or are merely depictions of security best practices are unlikely to be considered for rewards . Reports should include proper reproduction steps, explanations with screen recordings, working code etc.
  • Rewards are paid out in the form of Amazon Gift Cards. If you reside in a country where Amazon Gift Cards are not redeemable, please send us an email mentioning your preferred mode of payment at security@bipp.io
  • To receive a reward, you must reside in a country not on the U.S. sanctions list.
  • Bipp reserves the right to terminate or discontinue the program at its discretion.
  • The decision to consider a report for reward and the reward amount is solely at the discretion of Bipp and any decisions made are deemed final.

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://bipp.io/company/disclosure.

Contact

bipp is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to send an email to contact@bipp.io.