Security Bug Reports
We take security very seriously here at SimplyBuilt!
As such, we appreciate security related issues that are responsibly reported to us. Please review our Rules and Guidelines for bug reports before you start hunting. If you think you have found an issue we encourage you to report it to us in the below form.
We are no longer paying out cash bounties for non-critical issues. Please keep this in mind when reporting a perceived issue!
Thank you for reporting this issue to us. We will review your report and reach out to you as soon possible!
- Do not attempt to gain access to another user's information or data.
- Do not attempt attacks against other users during your research.
- Do not use automated or scanner tools. Please, no DoS/Spam attacks either!
- Do not publicly disclose the issue until we've been able to patch it.
- Only target the my.simplybuilt.com domain and the sites you publish through the app.
- Never attempt non-technical/social attacks against other users or SimplyBuilt staff.
What Does Not Qualify?
- Issues that require a large amount of user interaction and/or social engineering.
- Issues only affecting legacy browsers, extensions or plugins.
- Any type of brute forcing or automated attack will not qualify for bounties.
- Attack vectors that require request interceptor tools or developer tools.
- Vulnerabilities that SimplyBuilt has deemed to be at an acceptable level of operational risk.
- Issues that have already been reported to us via the bug bounty program.
- Issues targeting our support or other third party sites
Will credit be given?
Absolutely! Once the issue is patched, we will tweet about it. Within the tweet, we will include a name and link to the researchers responsible for reporting the issue (unless of course, you do not want that).
I submitted an issue but have not gotten a response!
Please allow us at least 24 hours to get back to you. We review each report very carefully and want to fully understand the scope of all issues reported.
Do you have a PGP key? Can I submit an issue directly?
Yes and yes! Our PGP key is available here. Feel free to send encrypted (and signed reports) using the form below.
Just Contact Us!