Testsigma Vulnerability Disclosure Program
Quick Overview
Testsigma aims to improve product security through responsible testing and submission of previously unknown vulnerabilities. We′re extremely grateful for security researchers and users who report vulnerabilities to the Testsigma team. Our team thoroughly investigates all reports.
We do not currently have a bug bounty program. However, if you think you′ve spotted a bug in our system, let us know, and we′ll include you in our wall of fame for your eagle-eyed efforts.
- To report a potential vulnerability, please email us at security@testsigma.com
- The responsible disclosure of security vulnerabilities helps us build a secure application for the entire community and ensure all our user′s security and privacy.
In Scope Testing
All bug testing must be done only on In Scope Targets. Please refer to the details in theOut of Scopesection before proceeding.
- In principle, the Testsigma web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains: *.testsigma.com
Reporting Guidelines
To participate in our vulnerability reporting program, please follow these guidelines:
- Only submit original, previously unreported vulnerabilities.
- Description and potential impact of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability; and, where available, a video POC.
- Do not attempt to access or modify any data that does not belong to you.
- Please do not attempt to disrupt the operation of our systems or services.
- Do not publicly disclose the vulnerability without prior approval from us.
Policy
- Reach out to security@testsigma.com if you have found any potential vulnerability in our products meeting the criteria mentioned in the policy below.
- You can expect an acknowledgment from our security team within 24 hours of submission.
- The Testsigma team will define the severity of the issue based on the impact and the ease of exploitation.
- We may take 3 to 5 days to validate the reported issue.
- Actions will be initiated to fix the vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is resolved.
Qualifying Vulnerabilities
Below is the list of vulnerability categories that will be considered qualified vulnerabilities and will get prioritized and fixed.
| 1 | HTML Injection |
| 2 | Cross-Site Scripting (XSS) |
| 3 | CSV Injection |
| 4 | Open Redirection |
| 5 | Client Side Controls |
| 6 | Securing Cookies |
| 7 | SQL Injection & Sensitive Information Disclosure |
| 8 | Cross Site Request Forgery |
| 9 | Broken Access Control |
| 10 | CORS Misconfiguration |
Non-Qualifying Vulnerabilities
The below list of vulnerability categories will be considered as out of scope,
| 1 | Self-XSS |
| 2 | Host header and banner grabbing issues |
| 3 | Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc. |
| 4 | Missing HTTP security headers and cookie flags on insensitive cookies |
| 5 | Rate limiting, brute force attack |
| 6 | Login/logout CSRF |
| 7 | Session timeout |
| 8 | Unrestricted file upload |
| 9 | Open redirections |
| 10 | Formula/CSV Injection |
| 11 | Denial of Service (DoS)/Distributed Denial of Service (DDoS) |
| 12 | Vulnerabilities that require physical access to the victim machine. |
| 13 | User enumeration such as User email, User ID, etc. |
| 14 | Phishing / Spam (including issues related to SPF/DKIM/DMARC) |
| 15 | Vulnerabilities found in third-party services |
| 16 | EXIF data not stripped on images |
Hall of Fame
While we won't be able to shower you with riches for finding and disclosing vulnerabilities to us, we can offer you something just as valuable: a spot in our hall of fame. Testsigma truly appreciates your legendary efforts.
We would like to recognise the efforts of the following individuals for their contribution to our responsible disclosure program. Please accept our sincerest gratitude to every one of you.
Hall of Fame for
For your contribution.
We look forward to working with you to keep our systems secure.