Vulnerability reporting

# How to report an issue

If you have discovered an issue that is not part of our out-of-scope vulnerabilities, please send an email to security@fortrabbit.com with the following details:

• A summary of the issue and potential impact
• A breakdown of the steps to replicate the issue
• Details of the environment you are using
• If available, any proof-of-concept code to exploit the vulnerability

Upon receiving your email, our team will start investigating the issue. We will keep you updated on the progress and may reach back for further details if needed. Once the issue is resolved we will update our customers.

# Bounties

• No bug bounty We have high regard for white hat hacking culture but there is no bug bounty program in place yet.
• No beg bounty Don't report trivial issues such as 'SAMEORIGIN x-frame-options' or 'missing dmarc records'.

# Focus areas

• Authentication bypass and privilege escalation
• Exposure of personally identifiable information (PII)
• Access to data outside of the authenticated workspace
• SQL injection and remote command execution

# In scope

• fortrabbit dashboard
• fortrabbit public services
• SSH environments
• …

# Out of scope

• Automated scanning: Scripts or tools that automatically scan for vulnerabilities are not allowed.
• Social engineering: Attempts to manipulate or trick employees (including Linear employees) are strictly prohibited.
• Denial of service attacks: Any activity that intentionally disrupts or overloads our systems is forbidden.
• Physical access attacks: Exploiting vulnerabilities requiring physical access to a victim's computer is not permitted.
• Theoretical attacks: Reporting vulnerabilities without proof of exploitability is not eligible for a reward.
• Man-in-the-middle attacks: Interception of communication between users and our systems is prohibited.
• Clickjacking (low-impact): Clickjacking attempts on pages with no sensitive actions (e.g., login) are not considered vulnerabilities.
• Self-sabotage by privileged users: High-level users exploiting bugs to damage their own workspace does not qualify for a reward.
• Logic bugs (account abuse): Exploiting bugs to bypass limitations on free accounts and access paid features is not eligible for a reward.
• Security misconfigurations (informational): Identifying missing best practices in content security policy (CSP), email DNS records, or cookies may be reported but likely won't qualify for a reward.

# We kindly ask you

• Responsible testing: Only test vulnerabilities on your own accounts or those for which you have explicit permission from the owner.
• Respect user privacy: Avoid any actions that could violate user privacy, such as copying, destroying, or compromising data. Additionally, refrain from actions that could disrupt or degrade our service functionality.
• Least privilege: If you gain authorized access to our systems, don't attempt to access additional systems or escalate your privileges beyond what's necessary.
• Coordinated disclosure: If you discover a vulnerability, do not make it public before reporting it to us. This will allow us to address the issue swiftly and prevent potential exploitation. Provide us with a reasonable time frame to develop and release a fix.

# Safe harbor

Activities that follow this policy are considered authorized, and we won't take legal action against you for them. If a third party sues you for actions compliant with this policy, we'll defend your compliance.

# Security hall of fame

• Mayank Bhatodra
• Salman Khan Champion
• sec crew
• Nils L.
• Syed Khaja Faiz
• Kullai Metikala