Introduction
ChartMogul is committed to the security of our customers and their data. We work with security researchers worldwide to keep our platform safe. If you have discovered a security issue affecting our services, please let us know, and we'll act immediately.
We support Coordinated Vulnerability Disclosure as our bi-directional communication framework with security researchers.
This program describes how ChartMogul works with the security community to find and responsibly report security vulnerabilities.
Currently, we do not have a bug bounty program and do not offer monetary rewards for vulnerability reporting.
Scope
*.chartmogul.com
Conditions
Security researchers must not:
- Access, attempt to access, or assist in accessing or attempting to access accounts or data that does not belong to them.
- Perform attacks that could harm the reliability or integrity of our services or data.
- Violate our Terms of Service, Privacy Policy, or applicable law or regulation, or otherwise negatively impact the privacy or integrity of our users, employees, systems, services, or data.
- Disclose any found vulnerabilities to the public while they have not been resolved.
- Use automated scanning tools that could affect our infrastructure availability.
- Use the discovered vulnerability in any way beyond proving/demonstrating its existence (e.g., exploiting the vulnerability to pivot to internal systems, compromising a system and maintaining permanent access to it, etc.).
- Use social engineering, spam, or phishing techniques.
Issues Not to Report
The following is a non-exhaustive list of issues that you should not report unless you believe there is an actual vulnerability:
- Reports from automated tools or scans
- Configuration suggestions for DNS, HTTP, and mail services
- Clickjacking, phishing, or social engineering techniques
- Denial of Service (DoS / DDoS) attacks against ChartMogul systems or services
- Disclosure of known public files or directories (e.g., robots.txt)
- Banner disclosure on common/public services
- Missing HTTP security headers that do not lead directly to a vulnerability
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Password, email, and account policies, such as email id verification, reset link expiration, or password complexity
- Rate limit testing of web forms
- Cross-Site Request Forgery (CSRF) on both forms available to anonymous users and login/logout functionalities
- Use of a known-vulnerable library without evidence of exploitability
How to Submit a Vulnerability
Please submit vulnerability reports to ChartMogul’s Security Team at security@chartmogul.com.
Recognition
ChartMogul may publicly recognize authors who report valid vulnerabilities on our upcoming Hall of Fame page at our sole discretion.
Safe Harbor
ChartMogul will not take legal action against security researchers who submit vulnerability reports following the terms and conditions of this program. However, failure to abide by the terms and conditions of this program will result in the loss of being considered a security researcher hereunder.
Legal
ChartMogul reserves the sole right to terminate or modify the terms and conditions of this program at any time. By reporting a security vulnerability to ChartMogul, you agree to the then-current terms and conditions of this program and Terms of Service, Privacy Policy, and any other public policies of ChartMogul.
Updated: May 25, 2023