At Formstack we fully support the security community and appreciate the work done by independent researchers to help make and keep data secure. To this end, we encourage responsible reporting of any security vulnerabilities discovered in our products or services as set out in this Responsible Disclosure Policy (“Policy”).
We expect independent researchers to communicate information about potential vulnerabilities responsibly by complying with all applicable laws and avoiding degradation of our customers’ and end-users’ experience, disruption to any systems, products, services, or infrastructure and destruction of data. We also ask that independent researchers protect user privacy and security by refraining from publicly disclosing any vulnerabilities.
Scope
This Policy applies to the following domains and services:
- All Formstack domains and sub-domains
- All Formstack products
Submitting Reports
To help ensure that we have enough information to properly evaluate a potential issue, please include the following information in your report:
- A description of the issue explaining the vulnerability, including the steps to reproduce the issue, and potential impact to the user or service.
- The product feature, component, or service resource that is impacted, including any relevant URLs.
- A proof-of-concept or functional method that consistently demonstrates the issue or provide logs that can show impact of successful exploitation.
- Describe any specific circumstances, configurations, or conditions required to exploit the issue.
- Use our dedicated security email to report such vulnerabilities: security@formstack.com.
What to Expect
Once we receive your report, we will stay in touch with you to provide updates on our investigation. During this time we might also request additional information.
Out of Scope
Please note, certain types of issues are considered out of scope for our vulnerability disclosure program.
- Non-Qualifying Vulnerabilities: These include, but are not limited to, issues such as:
- Best practices or recommendations without specific security impact.
- Email spoofing or DMARC-related issues.
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout CSRF.
- Vulnerabilities in third-party services not under Formstack’s control.
- Vulnerabilities that do not, by themselves, expose a service or application to attack.
- Vulnerabilities that do not have a real, meaningful impact as decided by Formstack.
Restrictions
While we encourage you to responsibly find and report vulnerabilities, the following is expressly prohibited:
- Performing actions that may negatively impact Formstack, its users and/or end-users (e.g. Spam, Brute Force, Denial of Service, etc.).
- Accessing, or attempting to access, saving, copying, storing, transfering, disclosing or otherwise retaining data or information that does not belong to you.
- Destroying, modifying, or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Conducting any kind of physical or electronic attack on Formstack personnel, property, or data centers.
- Social engineering any Formstack service desk, employee, or contractor.
- Conduct vulnerability testing of participating services using anything other than test accounts.
- Violating any laws or breaching any agreements in order to discover vulnerabilities.
Public disclosure of the report details of any identified or alleged vulnerability without the express written authorization of Formstack will deem the report noncompliant with this Policy.
Legal Safe Harbor
Formstack reserves all of its legal rights in the event of noncompliance with this Policy. However, Formstack commits to not pursuing legal action against individuals who:
- Comply with this Policy;
- Report vulnerabilities without malicious intent; and
- Avoid privacy violations, disruption of services, and destruction of data.
Formstack reserves the right to modify or discontinue this Policy at any time at its sole discretion.
Bug Bounty
Currently, Formstack does not have a paid bug bounty program.