Version 1.2 - Effective June 21, 2022
Responsible Disclosure
We are dedicated to maintaining the security and privacy of the Conveyor services and customer data. We welcome security researchers from the community who want to help us improve our products and services.
If you discover a security vulnerability, please give us the chance to fix it by emailing us at security@conveyor.com. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.
Thank you for your work and interest in making the community safer and more secure!
Bounty Program
Conveyor awards security researchers cash and prizes for reporting in scope vulnerabilities. Please email security@conveyor.com to report an issue.
If you would like to be eligible for a bounty, please read this carefully. We reserve the right to discontinue issuing bounties at any time. Bounties will be issued via bill.com and additional documentation may be required based on residence of the researcher.
Rules
- NEVER attempt to gain access to another user's account or data.
- NEVER attempt to degrade the services.
- NEVER impact other users with your testing.
- Test only on in-scope domains, listed below.
- Do not send video proof of concepts.
- Do not use fuzzers, scanners, or other automated tools to find vulnerabilities
Doing any of the above will render you ineligible for cash bounties and prizes.
In-Scope Services
Only the following services are in-scope:
- app.conveyor.com
- api.conveyor.com
- auth.conveyor.com
Please do not test or report issues with services not listed here, especially our marketing site www.conveyor.com.
Out-of-Scope Issues
The following types of reports/attacks are out of scope. Do not attempt them:
- Reports about any service not listed under "In-Scope Services," above
- DOS attacks
- Brute force attacks
- Physical vulnerabilities
- Social engineering attacks, including but not limited to:
- ~phishing
- ~email auth (SPF, DKIM, etc.)
- ~hyperlink injection in emails
- CSRF on forms that are available to anonymous users (e.g., signup, login, contact, Intercom)
- Self-XSS and issues exploitable only through self-XSS
- Clickjacking and issues only exploitable through clickjacking
- Functional, UI and UX bugs and spelling mistakes
- Descriptive error messages (e.g. stack traces, application or server errors)
- HTTP 404 codes/pages or other HTTP error codes/pages
- Banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Presence of application or web browser "autocomplete" or "save password" permission
- User enumeration on pages such as "login" or "forgot password"
- Absence of rate limits
- EXIF on public images such as company logo
Top Researchers
Researchers are listed here based on adherence to these program guidelines, professionalism, and significance or novelty of the issue(s) reported:
- Dr. Jens Müller
- Aniket Kudale
- Imran Parray
- Siddharth Pasalapudi
- Tinu Tomy
- Shail Patel
- KK Global Solutions
Updates
We may periodically update the scope and guidelines of our program so please check back here periodically.