Bluescape Vulnerability Disclosure Policy

Security is our highest priority. We appreciate your participation in this program as the disclosure of security vulnerabilities enhances our security program to protect data and the privacy of our users. This document outlines the requirements of participation, as well as our commitments to you.

Requirements

By participating in this program, you agree to the following:

  • Will not engage in any activity that may reasonably cause or actually cause harm to Bluescape, our customers, or our employees.

  • Will not engage in any activity that may reasonably interrupt or disable or or degrade Bluescape services or assets.

  • Will not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.

  • Will not store, share, compromise or destroy data.

  • Will not share or process any information that may be linked to an individual, Personally Identifiable Information (PII). If PII is encountered, you will immediately halt your activity, purge related data from your system, and immediately contact Bluescape.

  • Will use best efforts to comply with industry best practices to avoid any of the following: conflicts with privacy or security regulations or best practices, degradation of user experience, disruption to production systems, and destruction of data during security testing.

  • Will only perform research within the scopes outlined in writing by Bluescape.

  • Will use the identified communication channels to promptly report vulnerability information to Bluescape.

  • Keep information about any vulnerabilities you’ve discovered strictly confidential for the later of a minimum of 90 days from reporting or until Bluescape confirms in writing that the issue has been resolved.

By follow these requirements, we commit to:

  • Not pursue or support any legal action related to your research;

  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);

  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

In Scope

  • https://www.bluescape.com

  • *.us.bluescape.com

  • developer.bluescape.com and any associated SDKs

  • Bluescape Mobile Applications

  • Bluescape Linux and Windows clients

Out of Scope

The following test types are strictly excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)

  • Findings derived primarily from social engineering (e.g. phishing, vishing)

  • Findings from applications or systems not listed in the ‘Scope’ section

  • UI and UX bugs and spelling mistakes

  • User enumeration

  • Network level Denial of Service (DoS/DDoS) vulnerabilities

  • Insecure cookie settings

  • Self-cross-site scripting

  • Vulnerabilities affecting users of outdated browsers, plugins or platforms

  • Descriptive/Verbose error pages without proof of exploitability or obtaining sensitive information

  • Directory structure enumeration (unless the fact reveals exceptionally useful information)

  • Issues related to password/credential strength, length, lock outs, or lack of brute-force/rate limiting protections

  • Low impact Information disclosures (including Software version disclosure)

  • Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability

  • Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS)

  • Valid bugs that are not directly related to the security posture of the client

  • Use of automated vulnerability scanners against any services

  • Information disclosure or DoS through native WordPress functionality, including wp-json or other REST API endpoints

  • Email spoofing through missing or misconfigured DKIM, DMARC, or SPF records.

  • Brute-force or load testing

In no circumstances will you share or send:

  • Personally Identifiable Information (PII)

  • Payment or financial information

How to Report a Security Vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing [email protected]. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;

  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and

  • Your name/handle and a link for recognition in our Hall of Fame. Your name will be added within 10 business days of your submission.