The information on this page is intended for security researchers interested in responsibly reporting security vulnerabilities to the ReachHub security team.
We invite you to help us bolster our ongoing efforts to safeguard our systems and data by reporting any vulnerabilities you may find through our Vulnerability Disclosure Program.
If you believe you have identified a potential security vulnerability, please share it with us following the guidelines below.
Please note ReachHub does not operate a bug bounty program and we make no offer of reward or compensation for sharing potential security vulnerabilities.
- Do not engage in any actions that could negatively impact the user experience on our websites or applications for ReachHub clients/customers.
- Do not take any actions that could potentially or literally cause harm to our clients or employees.
- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
- Do not store, share, compromise or destroy any ReachHub or client data. If non-public information is encountered, you should immediately cease all activity, purge the data from your system and contact ReachHub. This serves to protect both ReachHub and you.
- Provide ReachHub a reasonable time frame for fixing or remediating any issue prior to public disclosure.
For all submissions, please include the following:
- Steps to reproduce the vulnerability (screen captures encouraged)
- Tools used
- Remote Code Execution
- SQL Injection
- Privilege Escalation
- JS Injection
- Insecure Direct Object Reference
Sample Valuable Vulnerability Report
The following vulnerabilities are considered out of scope for ReachHub’s Vulnerability Disclosure Program:
- Physical testing
- Social engineering
- Denial of service attacks
- Resource exhaustion attacks
To file a report, please email firstname.lastname@example.org