Podium Vulnerability Disclosure Policy

Introduction

Podium is committed to ensuring the security of its users by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy and how to send us vulnerability reports.

We encourage you to contact us to report potential vulnerabilities in our systems.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Guidelines

Here are some general guidelines for researchers looking into our environment:

  • Respect the privacy of user accounts. Do not excessively access information that is not relevant to your test. Use test accounts or data wherever possible.
  • Do not disclose a vulnerability to non-Podium personnel without Podium’s explicit written consent.
  • If access is gained into an internal system, do not use that access to pivot and explore other internally accessible services. For the purposes of your report, ending reproduction steps at this point will be sufficient enough for our team to triage and appropriately assess severity.
  • Do not go beyond what is necessary to prove a vulnerability exists.
  • Do not take any action that could impact the performance or availability of our services — be mindful when using automated scanners and tools.
  • Never save or make copies of private data from Podium services.

In-Scope

Assets:

Out-of-Scope

Assets:

  • https://www-staging.podium.com – Our main marketing website, it is an externally hosted WordPress site
  • *.podium.com – This is to cover any subdomain that is not outlined above in the section titled “In-Scope”

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Rate limiting or bruteforce issues on any endpoints
  • Attempts to access our offices or data centers
  • Attacks requiring phishing as a main attack method (can by ignored on case-by-case basis)
  • Attacks where spamming a customer is the primary impact
  • Vulnerabilities in a vendor we integrate with
  • Pages prone to Clickjacking
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Improper scope on session cookies
  • Expiration time on session cookies being too generous
  • Session does not immediately invalidate on logout / password change
  • Missing Anti-CSRF protections
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Out of date libraries / packages, unless the library / package can be leveraged into a different vulnerability inside the context of the application
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction

At this time, Podium’s Bug Bounty Program is in Private, invite-only mode and is not yet ready for public participation.

We do believe that a valid report submitted in compliance with this policy which is in-scope and requires code change deserves monetary compensation. Once the security team has had time to review your report and it is determined that it is a valid report in line with our Bug Bounty Program, we will reach out to you for your contact information to get you added to our private program.

We ask that at this time, you submit your findings through this process first and have the Security team invite you to the Bug Bounty Program rather than withholding your report until an invite is received. We follow this process as a way to vet out-of-scope, erroneous reports and can guarantee you that if your report leads to significant code change; we will invite you to our program and provide a reward.

Reporting Process

If you believe that you have a finding to disclose, please submit your report to [email protected] with the header: VDP Report – VULN_TYPE followed by the reproduction steps (please replace VULN_TYPE with the name of the vulnerability you believe to have discovered).

The security team will acknowledge receipt of the report within 3 business days. After assessing the validity of your report, we will respond with next steps (whether it is valid or invalid).

We do not support PGP-encrypted emails at this time.