Vulnerability Reporting Guidelines

  • Submit the form below if you have found any potential vulnerability in Salesmate meeting all the below mentioned criteria.
  • Please refrain from doing security testing in existing customer accounts.
  • When conducting security testing, make sure not to violate our terms of use or privacy policies, modify/delete unauthenticated user data, disrupt production servers, or to degrade the user experience.
  • You’re allowed to disclose the discovered vulnerabilities only via the form by documenting any potential In/Out of scope.
  • Exposing vulnerability to the public is against our responsible disclosure policy.

Exclusions

While researching, we’d like to ask you to refrain from the following list as these issues will be closed as Not Applicable:

  • Denial of service
  • Spamming
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Mobile application issues that can only be exploited on a compromised device.
  • Open HTML redirects
  • Arbitrary file upload – CDN
  • Issues with DNS records such as SPF, DKIM or DMARC
  • Insufficient Password Policy Implementation
  • Use of HTTP Strict Transport Security (HSTS)
  • You must not attempt to gain access to, or interact with, any accounts other than those created by you.
  • The use of commercial scanners is prohibited (e.g., Nessus).
  • Social engineering (including phishing) of Salesmate’s staff or contractors
  • Any physical attempts against Salesmate’s property or data centers

Qualifying Security Bugs

All bugs that are reported are qualified based on their impact on customer’s production data.

We will consider other security vulnerabilities if it is making an impact and exploitable with a working non-intrusive POC.

In-Scope Domains

  • *.salesmate.io

Bugs Severity

Salesmate will define the severity of the issue based on the impact and the ease of exploit.