Introducing Productboard Pulse. Exec-level insights into what your customers need, powered by AI. Learn more

Start free trial Try Now

Bug Bounty Program

The Productboard Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.

Productboard Bug Bounty programs at HackerOne platform

Productboard decided to move our Bug Bounty program to HackerOne platform. The main reason is to scale up with a larger amount of incoming reports and also to provide better experience for the cooperating security researchers.

There are two programs on HackerOne:

Vulnerability Disclosure Program (VPD)

  • Public program, see https://hackerone.com/productboard 
  • Full scope of the original in-house Bug Bounty program (*.productboard.com, *.satismeter.com)
  • No financial payments in this program, only HackerOne points. But after one valid report, we invite the researcher to the paid Bug Bounty program.

Bug Bounty Program (BBP)

  • Private program, only for invited researchers. Researchers will get an invitation after reporting one valid report to the VDP program.
  • Financial rewards processed by HackerOne platform.
  • Narrow scope: app.productboard.com only. No Satismeter or our WordPress sites.
  1. Out-of-scope Vulnerabilities
    We are interested in critical vulnerabilities in our infrastructure and product, not in an output of automated scannersThese vulnerabilities are out-of-scope and not subject to any reward:
  2.  

  3. Responsible Disclosure Policy

    We are interested in critical vulnerabilities in our infrastructure and product, not in an output of automated scannersThese vulnerabilities are out-of-scope and not subject to any reward:

     

    • Denial of service or Distributed Denial of service attacks

    • Presence/absence/misconfiguration of SPF/DKIM/DMARC records or any email misconfiguration in general

    • Lack of CSRF tokens

    • Clickjacking issues

    • Missing security headers which do not lead directly to a vulnerability

    • Missing best practices (we require exploitable evidence of a security vulnerability)

    • Reports from automated tools or scans

    • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)

    • Absence of rate limiting

    • Outdated software without any noteworthy vulnerability

    • Permission issues within a single business space. 

      • BUT permission issues in Team spaces, New boards and Custom permission are IN-SCOPE.

    • HTML Injection for Productboard Editor (comments, descriptions, details, etc.)

    • Password reset token leaks to third party services

    • EXIF metadata issues

    • Jira Service Desk is open to public

    • Using features from higher plans and other licensing issues

     

    Submission Process


    Please only submit one report per issue to     https://hackerone.com/productboard 

    When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Productboard’s prior written approval.

    Reward

    You may be eligible to receive a reward if:

    • (i) you are the first person to submit a given vulnerability;
    • (ii) that vulnerability is determined to be a valid security issue by the Productboard Security Team
    • (iii) you have complied with the Productboard’s Bug Bounty program policy and guidelines.

    The decision to grant a reward for the discovery of a valid security issue is at Productboard’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your report, ease of exploit and overall risk for Productboard’s users and brand.

    Legal Safe Harbor

    Any activities conducted in a good faith and in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

      • For more information, visit https://productboard0wpenginecom.kinsta.cloud/product/security/
      • Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.BUT permission issues in Team spaces, New boards and Custom permission are IN-SCOPE