If you believe that you have found a security vulnerability on Showbie, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page, including our responsible disclosure policy.
Scope
The only target in scope is my.showbie.com, and any HTTP requests made from that subdomain (i.e. to admin.showbie.com
). All other Showbie domains such as www.showbie.com
, support.showbie.com
, etc. are out of scope.
Responsible Disclosure Policies
Showbie aims to keep its service safe for everyone, and data security is of utmost priority. If you're a security researcher and have discovered a security vulnerability in the service, we appreciate your help in disclosing it to us in a responsible manner. In return, we promise to investigate reports promptly.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
Performing actions that may negatively affect Showbie or its users (e.g. Spam, Brute Force, Denial of Service, etc).
Accessing, or attempting to access, data or information that does not belong to you. If you want to test cross-account access please sign up for additional free accounts.
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
Performing automated vulnerability scans.
Attempting non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Theoretical XSS or Self-XSS attacks without evidence of exploitability, such as input being reflected in response.
Email and account policies such as reset method and password complexity.
Other Important Policies to Note
The target URL is the same used by our customers. Please keep this in mind and act accordingly.
No attacks against Showbie's existing user base.
No phishing.
No DDoS attacks.
This is Showbie's primary production environment. We accept valid PoCs of app-level Denial of Service vulnerabilities, but PoCs that intentionally stress or risk the availability of our services will be considered abuse.
Do not create more than 3 accounts as part of your testing. Failure to comply may result in your account access being blocked.
You agree to obey all restrictions in Showbie Terms of Use.
Confidentiality
All submissions made to Showbie shall be Showbie’s “Confidential Information” and must be kept confidential and only used in connection with the researcher’s activities in connection with this Policy. You may not use, disclose or distribute any such Confidential Information without Showbie's prior written consent.
In the event that your security vulnerability results in any unauthorized access to or disclosure of “personal information”, you agree that you shall not export, collect or otherwise use such personal information and you shall notify Showbie immediately of any access to or disclosure of such information.
Vulnerability Classification
Declined
False-positive and/or very minor criticality that will not result in a change of code.
Duplicate
We are aware of the issues from any other source.
Low
Vulnerabilities like insecure cookies, clickjacking or insufficient
password complexity are generally of low criticality as they are
dependant on other issues and cannot be exploited by themselves.
Medium
Cross-site request forgery (XSRF or CSRF) vulnerabilities or those
that might result in the changing of user's data.
High
Vulnerabilities of high criticality are those that would result in
bypassing authentication. An example of a high critical vulnerability
is a successful SQL-injection that could be used to read data, delete
users, or other kinds of database modifications.
We use OWASP_Risk_Rating_Methodology as our classification guide.
Liability and Indemnification
We won’t take legal action against those who discover and report security vulnerabilities in good faith and otherwise accordance with this Responsible Disclosure Policy. Showbie reserves all of its legal rights in the event of any noncompliance with this Policy or its Terms of Use.
Showbie shall have no liability to you for any losses or damages caused by your research or discovery of any bug or security vulnerability. You hereby agree to defend, indemnify and hold harmless Showbie Inc., its affiliates and each of their officers, directors, employees and agents from and against any claims, liabilities or losses arising from your breach of this Policy or Showbie’s Terms of Use.
Compensation Requests
Showbie may choose to compensates security researchers based on the following factors:
The severity of the issue identified (we use the OWASP Risk Rating Methodology).
The quality of the reporting.
Showbie’s internal risk assessment of the issue.
Whether or not the issue has already been disclosed to Showbie prior to your submission (we only pay out once per issue).
Showbie will work with the researcher to facilitate payment. Payment amounts are entirely at Showbie’s discretion — which is something you agree to when submitting bugs as part of this program. You are responsible for paying any taxes associated with your receipt of compensation.
In order to be eligible to receive compensation, the following requirements and guidelines apply to all researchers submitting bug reports:
The researcher submitting the bug must not be a current of former (in the past six months before making the submission) employee of subcontractor of Showbie or any of its affiliates, or an immediate family member or household member of an employee of Showbie or any of its affiliates.
The researcher submitting the bug must not be the author of the vulnerable code.
The researcher must not disclose the bug publicly before a fix is released or otherwise try to exploit it.
How to Report Security Vulnerabilities
Please do not publicly disclose these details without the express written consent from Showbie.
When reporting a vulnerability, please provide as much detail as you can, to help us with validation and reproduction of it.
Your input and feedback on our security are always appreciated. As much as we want to respond to all reports, it’s not feasible for us to do so. We typically only reward vulnerability reports that are classified as High.
Reports classified as Low, Duplicate, Declined will usually not receive a response but will be added to our internal issue tracker.
When reporting any suspected vulnerabilities, please use Showbie's security vulnerability reporting form.