You must use your own Beamer account when researching bugs. Using third-party accounts without consent is strictly prohibited.
Automated tests are not allowed
Bugs and security concerns should be addressed to bugbounty@getbeamer.com
Each bug will be treated separately even if reported with other bugs
You should be the first person to report the bug to be entitled for a reward. Duplicate reports will not have compensation rights, unless additional information is provided.
Compensation will be based on the severity of the bug finding.
Bug Bounty rewards will be paid by PayPal in U.S. dollars after the bug is fixed.
Security research should be conducted following industry standards and no legal actions should be initiated against security researchers, as long as they comply with this policy and guidelines.
Bounty Process
A new bug is reported through bugbounty@getbeamer.com
The report should be detailed enough to be able to recreate the issue.
Screenshots, videos or GIFs should also included as proof of the issue.
Make sure bugs are not related to cached data and perform several tests with the same result before reporting it.
Once the report is received we will check if the bug has already been reported or if it is already being fixed. If not, we will determine the severity of the bug based on the guidelines below, communicate the reward and keep you posted on the resolution.
Once the bug is fixed, we will reward the reporter through PayPal.
Reward Matrix
Bounty rewards are subject to assessment, depending on the severity of the report and the impact on users.
Low quality bugs may not qualify to reward or could be assessed below the lowest tier.
Bug Severity tier
Reward
Critical
$200
High
$100
Moderate
$50
Low
$25
Bug severity tiers are described below:
Severity: Critical
Remote Code Execution
SQL Injection
SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
Privilege Escalation affecting all accounts
Broken Authentication affecting all accounts
Reward: $200
Severity: High
Information leaks or disclosure of customer data
Reward: $100
Severity: Moderate
Broken Authentication affecting a single account
Privilege Escalation affecting a single account
Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
SSRF to an internal service, hosted by Beamer
Information leaks or disclosure (including customer data)
Reward: $50
Severity: Low
“Tab-Nabbing” or other rel=”noopener” bugs
Mixed content issues
Server misconfiguration or provisioning errors
Reward: $25
Exclusions.
The following bugs are unlikely to be eligible for a bounty reward:
Denial of Service attacks
Brute Force attacks
“Advisory” or “Informational” reports that do not include any Beamer-specific testing or context
Issues found through automated testing
“Scanner output” or scanner-generated reports
Publicly-released bugs in internet software within 3 days of their disclosure
Spam or Social Engineering techniques, including:
SPF and DKIM issues
Content injection
Hyperlink injection in emails
IDN homograph attacks
RTL Ambiguity
Content Spoofing
Self XSS Attacks and Stored XSS Attacks on the Post Editor (excluding stored XSS on other parts of the site. eg, Post Comments)
Vulnerabilities requiring physical or remote access to the victim’s unlocked device
Issues relating to Password Policy
Full-Path Disclosure on any property
Version number information disclosure
Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
CSRF-able actions that do not require authentication (or a session) to exploit
Reports related to the following security-related headers:
Strict Transport Security (HSTS)
XSS mitigation headers (X-Content-Type and X-XSS-Protection)
X-Content-Type-Options
Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
Bugs that do not represent any security risk – these should be reported to support@getbeamer.com
Security bugs in third-party applications or services built on the Beamer API – please report them to the third party that built the application or service
