Bug Bounty Program

The Cronofy Bug Bounty Program applies to security vulnerabilities found within Cronofy’s public-facing online environment. This includes, but is not limited to, Cronofy’s websites, APIs, Infrastructure, and devices. For the protection of our customers, we do not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.

How bugs should be reported #

Bugs should be reported to support@cronofy.com. This ensures that all bug reports are logged and have an appropriate ticket assigned to them.

Guidelines for reports #

In general, a report will be deemed valid if it demonstrates a proof of concept which shows a clear security issue that could target users in a realistic scenario.

Note that not all actionable findings are payable. We may take actions based on a report, but that alone does not make it eligible for a reward as part of this program. Examples of this are broad sweeps which point towards best practices such as DMARC configuration or handling of CORS headers.

Generally ineligible examples #

  • Bugs in our business logic that do not impact security
  • Vulnerabilities and bugs in our customers’ applications and integrations
  • Self exploitation – when the vulnerability depends on a user to take actions that only harms their own experience, and does not leak others’ data or otherwise harm the service
  • If a scenario requires a victim to take highly unrealistic patterns of behaviour to be exploited
  • Scenarios requiring victims to have outdated and unsupported software or operating system versions
  • Scenarios requiring physical access to victims or infrastructure
  • Missing best practices such as DMARC, rate limiting, or CORS configuration – unless a replicable and realistic scenario is presented which exposes user data as a result
  • Arbitrary file hosting on our CDN

We do not reward testing which is inherently dangerous. This includes:

  • Attacks on infrastructure such as DDoS
  • Social engineering such as employee impersonation
  • Spamming emails or abusing rate limits

Rewards #

A reward is paid to researchers on the basis that:

  • You are the first person to report the vulnerability
  • The vulnerability is determined to be a valid security issue by Cronofy’s Engineering team
  • The vulnerability research has not intentionally harmed the service for others, including degradation of services, denial of service attacks and unauthorized access to personal data
  • The vulnerability is not publicly disclosed before the issue is closed by Cronofy

The value of the reward depends on the priority of the bug reported. If a reward is offered following the review of a report, an invoice for the agreed amount will need to be provided.

Ineligible Reports #

The Cronofy Engineering Team are repsonsible for the final decision on any vulnerability reports. The validity of reports and appropriate rewards will remain at the discretion of Cronofy. By submitting a vulnerability that agree you have not disclosed and will not disclose the vulnerability to anyone other than Cronofy.

Cronofy reserves the right to suspend any users who are found to be in breach of this policy or who act in an unprofessional or threatening manner.

Cronofy reserves the right to suspend the Bug Bounty Program at any time without prior notice.