At Staybit, we prioritize the security of our products and services. We recognize that the security community plays a crucial role in helping us identify and address vulnerabilities. We invite you to participate in our Vulnerability Disclosure Program (VDP) and contribute to making our systems more secure.
About the Program
What is a Vulnerability Disclosure Program?
A Vulnerability Disclosure Program is an initiative that encourages individuals to report security vulnerabilities to us. In exchange for responsibly disclosing security issues, participants can earn recognition and contribute to our security improvement efforts.
Scope
What is In Scope?
In our Vulnerability Disclosure Program, we are interested in receiving reports on security vulnerabilities that could potentially harm the security, integrity, or availability of Staybit's products and services. The domains below are examples of our assets.
- *.staybit.com
- *.clappy.io
- *.lastrelease.io
What is Out of Scope?
While we appreciate all security-related reports, the following types of issues are generally out of scope for our program:
Low-Impact Vulnerabilities
- Low-risk vulnerabilities with minimal security implications.
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms without sensitive actions.
- Self-XSS requiring unlikely user interaction.
- Username/email enumeration on login pages.
- Open redirects to trusted domains.
- HTML forms without CAPTCHA (unless demonstrating automated abuse).
- Verbose error messages in development or testing environments.
Configuration-Related Issues
- Missing or misconfigured security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, etc.).
- Missing HTTP Strict Transport Security (HSTS) preloading.
- Suboptimal SSL/TLS configuration without demonstrable security impact.
- Weak or missing Content Security Policy (CSP) configurations.
- Missing HttpOnly or Secure flags on cookies.
- Missing
rel="noopener noreferrer"
on external links. - Missing Feature-Policy/Permissions-Policy headers.
- Missing Clear-Site-Data header.
- Missing cookie prefixes (e.g.,
__Secure-
, __Host-
). - Missing Subresource Integrity (SRI) on third-party scripts.
Email and DNS-Related Issues
- Missing or misconfigured email security records (SPF, DKIM, DMARC, etc.).
- Missing CAA DNS records.
- Missing BIMI records.
- Lack of DNSSEC.
- Misconfigured X-Permitted-Cross-Domain-Policies.
- Missing or incomplete Referrer-Policy header.
Mobile Application Issues
- Lack of jailbreak/root detection.
- Lack of SSL pinning.
- Hardcoded API keys or credentials without a practical attack scenario.
Physical or Uncommon Access Requirements
- Attacks requiring MITM or physical access to a user's device.
- Vulnerabilities affecting outdated browsers (more than two stable versions behind the latest).
- Issues requiring social engineering or unlikely user interactions.
Service Disruption & Rate Limiting
- Any activity that could disrupt our service (e.g., DoS attacks).
- Rate limiting or brute-force issues on non-authentication endpoints.
Other Non-Exploitable Issues
- Previously known vulnerable libraries without a working Proof of Concept.
- CSV injection without demonstrating a security impact.
- Software version disclosure or banner identification.
- Tabnabbing without an exploit scenario.
- Broken link hijacking.
- Improper logout functionality or session timeout without security implications.
- CORS misconfiguration without an exploitation scenario.
We encourage researchers to focus on vulnerabilities that present substantive security risks to our users or systems.
Recognition
Our Vulnerability Disclosure Program offers recognition on our Hall of Fame page as a token of our appreciation. We believe in acknowledging the efforts of security researchers who help us protect our users and systems. Here's how it works:
- High Severity Issues: Security researchers who responsibly disclose high-severity vulnerabilities may be eligible for placement on our Hall of Fame page. This is an exclusive acknowledgment for those who help us enhance our security.
Hall of Fame
Our Hall of Fame is a dedicated page aimed at recognizing individuals and security researchers who have made significant contributions to the security of our products and services. As a member of our Hall of Fame, you'll receive:
- Public Recognition: With your consent, your name will be displayed on our Hall of Fame page as a testament to your dedication to security.
- Acknowledgment: We will include a brief description of your contributions and the vulnerabilities you've helped us address.
- Appreciation: Our sincere thanks for your commitment to improving our security.
How to Participate
To participate in our Vulnerability Disclosure Program and have a chance to be featured on our Hall of Fame page, follow these steps:
- Identify a Security Vulnerability: Discover a security vulnerability in our products or services.
- Report the Vulnerability: Submit a detailed report to our security team at [email protected], including information on how to reproduce the issue.
- Wait for Verification: Our security team will assess the report and verify the vulnerability.
- Responsible Disclosure: Work with us to address the vulnerability responsibly and avoid any malicious activity.
- Hall of Fame Acknowledgment: If you responsibly disclose a high-severity vulnerability, you may be eligible for a spot on our Hall of Fame page.
Responsible Disclosure
We expect all participants to adhere to responsible disclosure principles. This means that you should:
- Not disclose the vulnerability publicly until we've had a chance to address it.
- Avoid causing harm to our users or systems during your research.
- Work with us in good faith to resolve the issue.
Get Involved!
Join us in our mission to enhance the security of our digital platforms. We appreciate your efforts and look forward to recognizing your contributions on our Hall of Fame page.
For more information about our Vulnerability Disclosure Program, contact our security team at [email protected].
Thank you for helping us protect our users and systems.