bipp Responsible Disclosure Policy
Data security is a top priority for bipp. We’re building a BI platform that’s designed to scale as data volumes grow and data demands increase. End-to-end data security is a company-wide priority, with staff policies, industry certification and highly customizable controls helping ensure our customers' data is safe.
As part of our commitment to security, bipp believes that working with skilled security researchers can identify weaknesses in any technology. We encourage the security community to help disclose security vulnerabilities to us in a responsible way.
- If you believe you've discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org. We will acknowledge the same within three working days.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the bipp service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
- We will notify you when the vulnerability is fixed, and reward you for identifying the issue
While researching, we’d like you to refrain from:
- Distributed Denial of Service (DDoS)
- Social engineering or phishing of bipp employees or contractors
- Any attacks against bipp’s physical property or data centers
Thank you for helping to keep bipp and our users safe.
Examples of Qualifying Vulnerabilities
- Flaws in Authentication/Authorization flow
- Issues leading to evasion of the privilege/permissions model
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- SQL injection
- Server-side code execution
Examples of Non-Qualifying Vulnerabilities
- Denial of Service (DOS)
- DMARC, SPF and other DNS records related issues
- Possibilities to send malicious links to people you know
- Security bugs in third-party websites that integrate with Bipp
- Insecure cookies
- Flaws affecting the users of out-of-date browsers
- User/email enumeration and brute force attacks unless it is demonstrated that rate limiters are not in place
We are most interested in vulnerabilities with app.bipp.io. Vulnerabilities reported for bipp.io is not rewarded.
- Only 1 reward will be awarded per vulnerability. However, vulnerabilities arising out of the same issue may be combined together while considering for reward.
- In case the same vulnerability is reported by multiple persons, only the person offering the first clear report will receive a reward.
- Rewards are based on severity, impact, and report quality. Our security team must be able to reproduce the issue from your report.
- Reports that are vague or are merely depictions of security best practices are unlikely to be considered for rewards . Reports should include proper reproduction steps, explanations with screen recordings, working code etc.
- Rewards are paid out in the form of Amazon Gift Cards. If you reside in a country where Amazon Gift Cards are not redeemable, please send us an email mentioning your preferred mode of payment at email@example.com
- To receive a reward, you must reside in a country not on the U.S. sanctions list.
- Bipp reserves the right to terminate or discontinue the program at its discretion.
- The decision to consider a report for reward and the reward amount is solely at the discretion of Bipp and any decisions made are deemed final.
We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://bipp.io/company/disclosure.
bipp is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to send an email to firstname.lastname@example.org.