Vulnerability Disclosure Program

Welcome to Staybit's Vulnerability Disclosure Program!

At Staybit, we prioritize the security of our products and services. We recognize that the security community plays a crucial role in helping us identify and address vulnerabilities. We invite you to participate in our Vulnerability Disclosure Program (VDP) and contribute to making our systems more secure.

About the Program

What is a Vulnerability Disclosure Program?

A Vulnerability Disclosure Program is an initiative that encourages individuals to report security vulnerabilities to us. In exchange for responsibly disclosing security issues, participants can earn recognition and contribute to our security improvement efforts.

Scope

What is In Scope?

In our Vulnerability Disclosure Program, we are interested in receiving reports on security vulnerabilities that could potentially harm the security, integrity, or availability of Staybit's products and services. The domains below are examples of our assets.

  • *.staybit.com
  • *.clappy.io

What is Out of Scope?

While we appreciate all security-related reports, the following types of issues are generally out of scope for our program:

  • Low-risk or low-impact vulnerabilities that do not significantly affect the security of our systems.
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Configuration of or missing security headers.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing.
  • Issues that require unlikely user interaction.
  • Improper logout functionality and improper session timeout.
  • CORS misconfiguration without an exploitation scenario.
  • Lack of DNSSEC.
  • Broken link hijacking.
  • Lack of jailbreak detection in mobile apps.
  • Lack of SSL Pinning.
  • Finding hardcoded keys on mobile applications without a working attack scenario.

Recognition

Our Vulnerability Disclosure Program offers recognition on our Hall of Fame page as a token of our appreciation. We believe in acknowledging the efforts of security researchers who help us protect our users and systems. Here's how it works:

  • High Severity Issues: Security researchers who responsibly disclose high-severity vulnerabilities may be eligible for placement on our Hall of Fame page. This is an exclusive acknowledgment for those who help us enhance our security.

Hall of Fame

Our Hall of Fame is a dedicated page aimed at recognizing individuals and security researchers who have made significant contributions to the security of our products and services. As a member of our Hall of Fame, you'll receive:

  • Public Recognition: With your consent, your name will be displayed on our Hall of Fame page as a testament to your dedication to security.
  • Acknowledgment: We will include a brief description of your contributions and the vulnerabilities you've helped us address.
  • Appreciation: Our sincere thanks for your commitment to improving our security.

How to Participate

To participate in our Vulnerability Disclosure Program and have a chance to be featured on our Hall of Fame page, follow these steps:

  1. Identify a Security Vulnerability: Discover a security vulnerability in our products or services.
  2. Report the Vulnerability: Submit a detailed report to our security team at security@staybit.com, including information on how to reproduce the issue.
  3. Wait for Verification: Our security team will assess the report and verify the vulnerability.
  4. Responsible Disclosure: Work with us to address the vulnerability responsibly and avoid any malicious activity.
  5. Hall of Fame Acknowledgment: If you responsibly disclose a high-severity vulnerability, you may be eligible for a spot on our Hall of Fame page.

Responsible Disclosure

We expect all participants to adhere to responsible disclosure principles. This means that you should:

  • Not disclose the vulnerability publicly until we've had a chance to address it.
  • Avoid causing harm to our users or systems during your research.
  • Work with us in good faith to resolve the issue.

Get Involved!

Join us in our mission to enhance the security of our digital platforms. We appreciate your efforts and look forward to recognizing your contributions on our Hall of Fame page.

For more information about our Vulnerability Disclosure Program, contact our security team at security@staybit.com.

Thank you for helping us protect our users and systems.