Vulnerability Disclosure Plan

Overview


The information on this page is intended for security researchers interested in responsibly reporting security vulnerabilities to the ReachHub security team.


We invite you to help us bolster our ongoing efforts to safeguard our systems and data by reporting any vulnerabilities you may find through our Vulnerability Disclosure Program.



Responsible Disclosure


If you believe you have identified a potential security vulnerability, please share it with us following the guidelines below.


Please note ReachHub does not operate a bug bounty program and we make no offer of reward or compensation for sharing potential security vulnerabilities.



Guidelines


  • Do not engage in any actions that could negatively impact the user experience on our websites or applications for ReachHub clients/customers.
  • Do not take any actions that could potentially or literally cause harm to our clients or employees.
  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
  • Do not store, share, compromise or destroy any ReachHub or client data. If non-public information is encountered, you should immediately cease all activity, purge the data from your system and contact ReachHub. This serves to protect both ReachHub and you.
  • Provide ReachHub a reasonable time frame for fixing or remediating any issue prior to public disclosure.


Reporting Criteria


For all submissions, please include the following:


  • Steps to reproduce the vulnerability (screen captures encouraged)
  • Targets
  • Tools used


Valuable Vulnerabilities


  • Remote Code Execution
  • SQL Injection
  • Privilege Escalation
  • JS Injection
  • Insecure Direct Object Reference


Sample Valuable Vulnerability Report


Authentication bypass was found on a mobile-to-web application. Access to certain functions was disabled by client-side JavaScript. By removing the necessary variables, a user can use features that were previously restricted.



Out-of-Scope Vulnerabilities


The following vulnerabilities are considered out of scope for ReachHub’s Vulnerability Disclosure Program:


  • Physical testing
  • Social engineering
  • Phishing
  • Denial of service attacks
  • Resource exhaustion attacks


Reporting


To file a report, please email security@reachhub.com