Introduction

At Smarsh, we prioritize the security and privacy of our customers and the integrity of our systems. We are committed to maintaining a safe and secure environment and appreciate the efforts of security researchers in identifying potential vulnerabilities. Our Vulnerability Disclosure Program (VDP) outlines how security researchers can responsibly report vulnerabilities and what they can expect in return.

Our commitment

If you identify a valid security issue in any of our products or services, we will:

  • Acknowledge receipt of your report promptly
  • Work with you to understand and validate the issue
  • Address the vulnerability in a timely manner
  • Credit you publicly on our Hall of Fame (if desired) for your responsible disclosure

Scope

The Smarsh VDP applies to Smarsh applications, data and infrastructure; subject to our guidelines herein as well as those provided by HackerOne.

Exclusions

  • Third-party services not owned or operated by Smarsh · Social engineering attempts of employees, contractors or Smarsh customers (e.g., phishing)
  • Physical attacks
  • Denial of service (DoS) attacks
  • Resource exhaustion attacks
  • Automated vulnerability scanners without prior approval
  • Extortion / ransomware attacks

Out of scope

  • CVSS score of 3.9 or lower
  • Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps
  • Clickjacking on pages with no sensitive actions
  • Cross-site request forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device
  • Rate limiting or brute-force issues on non-authentication endpoints
  • Missing best practices in content security policy
  • Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version)
  • Software version disclosure / banner identification issues / descriptive error messages or headers
  • Public zero-day vulnerabilities that have had an official patch for less than one month will be accepted on a case-by-case basis
  • Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)
  • Tab-nabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Broken link hijacking
  • Any non-critical issues against development / testing instances
  • Previously known vulnerable libraries without a working proof of concept
  • Comma separated values (CSV) injection without demonstrating a vulnerability
  • Missing best practices in SSL/TLS configuration
  • Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS
  • Missing HttpOnly or secure flags on cookies
  • Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)

How to report a vulnerability

Report a vulnerability directly on HackerOne.

Safe harbor

Smarsh believes that security research performed in good faith should be provided safe harbor. For the purposes of safe harbor for security research and reporting vulnerabilities, we have adopted the Gold Standard Safe Harbor. We look forward to working with security researchers who share our passion for protecting our customers.

Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in “good faith security research,” which accesses a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability. This activity is carried out in a manner designed to avoid any harm to individuals or the public. Additionally, the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

We consider good faith security research to be an authorized activity that is protected from adversarial legal action by Smarsh. We waive any relevant restrictions in our Terms of Service (“TOS”) and/or Acceptable Use Policies (“AUP”) that conflict with the standard for good faith security research outlined here.

This means that, for activity conducted while this VDP is active, we:

  • Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
  • Will take steps to make known that you conducted good faith security research if someone else brings legal action against you

You should contact us for clarification before engaging in conduct that you think may be inconsistent with good faith security research or unaddressed by our policy.

Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.

Recognition

While this is not a formal bug bounty program, Smarsh recognizes and appreciate the efforts of researchers.

At our discretion, we may offer:

  • Public acknowledgment on our Hall of Fame
  • Invitations to early access programs, future bug bounty programs, or beta features

Response timeline

Smarsh is committed to being responsive and keeping you informed of our progress. You will receive a non-automated response confirming receipt of your initial report within three business days, timely updates, and monthly check-ins throughout the engagement. You may request updates at any time, and we welcome dialogue that clarifies any concern or disclosure coordination.

Public notification

If applicable, Smarsh will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

In order to protect our customers, Smarsh requests that you not post or share information about a potential vulnerability in any public setting until we have addressed the reported vulnerability and informed customers if necessary. Also, we respectfully ask that you do not post or share any data belonging to our customers. Please note, the time required to mitigate a vulnerability is dependent upon the severity of the vulnerability and the affected systems.

In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
  • Report any in-scope vulnerabilities you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Use only the previously mentioned channels to discuss vulnerability information with us;
  • Provide us a reasonable amount of time from the initial report to resolve the issue before you disclose it publicly;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a proof-of-concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • Only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

Final notes

  • By submitting a vulnerability, you agree to comply with this VDP and all applicable laws
  • Smarsh reserves the right to update this VDP at any time
  • If you have any questions, please reach out to smarshvdp@smarsh.com

Thank you

We sincerely thank you for helping us keep Smarsh secure. Your contributions make a real difference!