Overview
The information on this page is intended for security researchers interested in responsibly reporting security vulnerabilities to the ReachHub security team.
We invite you to help us bolster our ongoing efforts to safeguard our systems and data by reporting any vulnerabilities you may find through our Vulnerability Disclosure Program.
Responsible Disclosure
If you believe you have identified a potential security vulnerability, please share it with us following the guidelines below.
Please note ReachHub does not operate a bug bounty program and we make no offer of reward or compensation for sharing potential security vulnerabilities.
Guidelines
- Do not engage in any actions that could negatively impact the user experience on our websites or applications for ReachHub clients/customers.
- Do not take any actions that could potentially or literally cause harm to our clients or employees.
- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
- Do not store, share, compromise or destroy any ReachHub or client data. If non-public information is encountered, you should immediately cease all activity, purge the data from your system and contact ReachHub. This serves to protect both ReachHub and you.
- Provide ReachHub a reasonable time frame for fixing or remediating any issue prior to public disclosure.
Reporting Criteria
For all submissions, please include the following:
- Steps to reproduce the vulnerability (screen captures encouraged)
- Targets
- Tools used
Valuable Vulnerabilities
- Remote Code Execution
- SQL Injection
- Privilege Escalation
- JS Injection
- Insecure Direct Object Reference
Sample Valuable Vulnerability Report
Authentication bypass was found on a mobile-to-web application. Access to certain functions was disabled by client-side JavaScript. By removing the necessary variables, a user can use features that were previously restricted.
Out-of-Scope Vulnerabilities
The following vulnerabilities are considered out of scope for ReachHub’s Vulnerability Disclosure Program:
- Physical testing
- Social engineering
- Phishing
- Denial of service attacks
- Resource exhaustion attacks
Reporting
To file a report, please email security@reachhub.com