speedcurve-security-portal

SpeedCurve Bug Bounty Program

SpeedCurve runs an informal bug bounty program. Rewards may be offered based on the severity of the bug. Please read all of the following before deciding whether to participate.

Rules

• Check the list of ineligible bugs before sending any reports.
• Even if a bug is considered to be eligible, it will only receive a reward if SpeedCurve considers the severity to be high enough.
• Rewards are given at SpeedCurve’s discretion. The size of the reward is decided on a case-by-case basis by SpeedCurve at its discretion.
• All reports must be sent to security@speedcurve.com. Reports sent to any other address will be ignored.
• Reports must contain only one bug. Reports containing multiple bugs may be ignored.
• Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• By participating in SpeedCurve’s bug bounty program, you acknowledge that you have read and agree to SpeedCurve’s terms of service (https://www.speedcurve.com/terms/) as well as the following:
  • you are not currently a SpeedCurve employee or contractor, were not a SpeedCurve employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.
  • your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
  • you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
  • SpeedCurve reserves the right to terminate or discontinue the Program at its discretion.
  • only test for vulnerabilities on sites you know to be operated by SpeedCurve.
  • SpeedCurve may not be able to reward any individual on any New Zealand sanctions list, or any individual residing in a New Zealand sanctioned country or region.

How to submit a bug report

• Send an email to security@speedcurve.com. Ensure the subject starts with “[BUG BOUNTY]” and contains a short description of the bug.
• Include your name, company (if applicable), and country of residence.
• Describe what the bug allows attackers to do, e.g. SQL injection, XSS, or bypass authorization logic.
• List the steps required to reproduce the bug.
• Please allow up to 10 working days for the report to be processed. Note that SpeedCurve may not reply if your bug is ineligible (see the List of ineligible bugs section below).

Types of bugs that will be considered for rewards

• Arbitrary code/command execution on a server in our production network.
• Arbitrary SQL queries on a production database.
• Bypassing the login process, not including the “Share View” functionality.
• Access to sensitive production user data or access to internal production systems, including discovering credentials or keys.
• Accessing or modifying another user’s data in a SpeedCurve application.
• Bypassing authorization logic, e.g. modifying resources with a view-only user.
• Injecting arbitrary content into a SpeedCurve application (XSS) that bypasses CSP.
• Bypassing CSRF validation for actions within a SpeedCurve application.

List of ineligible bugs

• Bugs that are only “cosmetic” e.g. displaying arbitrary content on a SpeedCurve page, or altering the layout or style of a SpeedCurve page.
• Bugs relating to DNS records e.g. DMARC, DKIM, SPF.
• Bugs relating to emails.