It’s important that Scripbox can be contacted quickly and effectively, with security concerns or information pertinent to our customers’ and our service partners’ privacy highlighting the confidentiality, integrity or availability of our systems.
We operate this responsible disclosure (bug bounty) policy to help security professionals and others alert us of any security concerns as quickly as possible and with minimal hassle.
2. Response Targets
Scripbox will make reasonable efforts to respond in a timely manner to any submissions to our programme. We’ll try to keep you informed about our progress throughout the process and alert you if there are any delays.
3. Disclosure Policy
Please always act responsibly and in the best interests of Scripbox and our customers. In particular, please:
Do not break the law;
Do not use social engineering techniques, phishing, or physical attacks against our customers, infrastructure or staff;
Do not perform any attack that could harm the reliability or integrity of our systems, services or data. DoS and/or spam attacks are not allowed;
Do not put any Scripbox data or customer data at risk;
Do not make the bug public before it has been fixed; and
When in doubt, please email us at firstname.lastname@example.org.
When reporting an issue to us, please:
Highlight security issues in third-party apps or websites that integrate with scripbox.com;
Provide a detailed and complete submission (masking or encrypting if necessary);
Reference existing vulnerability information, where relevant.
Out-of-scope areas and exceptions include:
DoS or DDoS.
Destructive or performance-impacting attacks or testing.
Social engineering or Phishing.
Submissions of TLS configuration weaknesses (e.g. “weak” cipher suite support, TLS1.0, TLS1.1 support, sweet32 etc.) or Certificate issues.
Submissions indicating that our services do not fully align with “best practice” e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc.) or suboptimal email related configuration (SPF, DMARC etc.).
Simple rate-limiting issues without a security impact.
Submissions entirely comprising output from commonly available automated scanners.
Submissions that do not pertain to Scripbox assets.
Submissions of non-exploitable vulnerabilities.
It is important to follow the above guidelines so that we treat your communication as a responsible disclosure and not an attack or extortion.
Be aware that Scripbox runs internal scans and testing and we may already be aware of any submission.
All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on severity as determined by our in-house team. We do not offer a published score against CVSS metrics or similar. Each submission is judged on its own merit, applying many factors such as severity, business function of the system, the cost to mitigate, etc.
We do not guarantee that a reward will be paid and Scripbox’s assessment of the severity of an issue and the corresponding amount of any reward, if any, will be final.
To be eligible for a reward, you must agree and adhere to our rules set out in section 5 below.
By submitting a report, you agree to comply with the following rules:
The terms of our Privacy Notice. In particular, you agree that we can use your submission and it's contents to ensure the security, integrity and reliable operation of our systems, technology and business;
The applicable sections of our Terms and Conditions and Regulatory requirements, outlined here.
Upon Scripbox’s request, you will agree and sign: (i) a Non-Disclosure Agreement; and (ii) a Letter of Undertakings, formally confirming that you have not downloaded, made copies of or shared with any third parties any information accessed by you and belonging to Scripbox, and undertaking that you will continue to do the same.
Your submission should contain the following:
Clear description and evidence of the vulnerability (logs, screenshots, responses);
Detailed steps to reproduce the issue;
Any platforms, operating systems, versions that are relevant;
Any relevant IP addresses or URLs;
Any supporting evidence you have collected (logging, tracing, etc.);
Your assessment of the exploitability or impact of the issue;
Your name, role (if appropriate) and contact details.
Please preserve as much evidence as possible as we may need to examine it.
We reserve the right to consider certain sites or subsites to be ineligible for any bounty or disclosure rewards.
It is important that we respond quickly and effectively, however, we take steps to manage spam to quickly identify relevant email and therefore quality submissions. We discourage and will not respond to:
Reports of generic vulnerabilities with no evidence of relevance to our systems;
Denial-of-Service attacks (DoS);
Reports of any information already in the public domain;
Reports that are vague or non-actionable.
We are grateful for your service and will respond quickly if we believe that you are reporting an issue in good faith and inline with this policy and with the best interests of Scripbox, its customers, and its service partners in your heart.
6. Safe Harbour
Please know that your activities conducted in a manner consistent with this policy does not make you liable for any legal action.
If legal action is initiated by a third party against you in connection with activities conducted in a manner consistent with this policy, , we will ensure that it is known that your actions were conducted in compliance with this policy.
Please treat all information about our systems, staff or customers that comes into your possession or that you otherwise become aware of, which is not publicly available, as strictly confidential. You must not share or otherwise use it for any purpose other than emailing it to us as a submission as described above. Making Scripbox’s confidential information public will harm many lives.
Submit your findings here
This policy exists entirely at our discretion and may be modified or cancelled at any time.
Thank you for helping keep Scripbox and our users safe!