BUG BOUNTY PROGRAM
If you believe you have found a security issue or vulnerability, please submit the report to our security team by following the guidelines below
Scope Targets:
- https://scrapfly.io
- https://api.scrapfly.io
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Scrapfly not listed in the targets section is out of scope. This includes any/all subdomains not listed above
This program excludes (regardless of coverage indicated above):
- Clickjacking
- External SSRF
- Anything related to Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
- Brute Force attacks on our Login or Forgot Password pages
- Account lockout enforcement
- Internal IP address disclosure
- Username / Email Enumeration
- No Captcha / Weak Captcha / Captcha Bypass
- Missing HTTP security headers
- Cookie Issues
- SSL Issues
- Weak password policies (length, complexity, etc.)
- Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Scrapfly’s platform
- Vulnerabilities that require social engineering
- Out-of-date browsers and plugins
- Vulnerabilities in 3rd party applications that do not directly affect our data or service
- Spam of any kind
- Denial of service attacks
- Issues already known by us or previously reported to us by others
- Issues that we have determined to be of acceptable risk
Submissions containing issues related to the above list of exclusions will not be eligible for reward. If you have found a vulnerability that is excluded by our program, you may still report it as part of our vulnerability disclosure program.
Act responsibly
The rules of responsible disclosure of vulnerabilities include, but are not limited to:
- Avoid accessing, exploiting, or exposing any customer data other than your own.
- Avoid any action that may cause a degradation of our services, or will harm our customers (for example overloading our systems)
- Do not use any social engineering techniques, such as sending phishing emails to Scrapfly’s employees, partners, or customers
- When methods are used that do not comply with your local law and/or the above-mentioned responsibility rules, enforcement authorities will be notified
Reproducibility
Our security team and engineers must be able to reproduce the reported security flaw. Make sure your report is clearly written and includes all the necessary information so we can reproduce the flaw. Please include:
- Type of vulnerability
- When applicable, include the URL
- The potential impact of the vulnerability
- Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce
- Screenshots and/or videos illustrating the vulnerability
Definition of a Vulnerability
To be eligible for a reward, your finding must be considered valid by the Scrapfly security team. If your vulnerability report affects a product or service within scope, you may receive a bounty award
Reward
Scrapfly retains sole discretion in determining which submissions are qualified for bounty rewards. We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission.
We are particularly interested in:
- Sensitive data exposure—cross-site scripting (XSS) stored, SQL injection (SQLi), etc
- Authentication- or session management-related issues
- Remote code execution
- Major exposures around customer data leak
- Issues that result in full compromise of a system
- Business logic bypasses resulting in significant impact
- Major operational failure (excluding Denial of Service related submissions)
- Particularly clever vulnerabilities or unique issues that don’t fall into explicit categories
Keep in mind:
- Only one bounty will be awarded per vulnerability
- If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
- Our reward system is flexible. We have no minimum or maximum amounts as rewards are based on severity, impact, and report quality.
- Vulnerabilities affecting our platform or platform-related plugins typically have a higher impact.
Reporting
You can contact us via legal[at]scrapfly.io to report any vulnerability or if you have questions about this program.
The Vulnerability Rating Taxonomy is the baseline guide used for classifying technical severity
Scrapfly generally scores vulnerabilities based on the CVSS score
Disclosure Policy
Scrapfly understands the importance of disclosure of vulnerabilities and we are happy to allow disclosure in certain instances.
Rules
- You must receive explicit permission from Scrapfly if you would like to disclose any finding or vulnerability. This includes any findings listed on the program exclusion list above.
- You may not discuss any vulnerabilities with anyone or on any forum outside of Scrapfly’s bug bounty program, unless getting permission from Scrapfly.
- Reports that are not considered valid vulnerabilities (Informative, Spam, etc) are not eligible for disclosure.
- Only resolved reports are eligible for disclosure.
- The request for disclosure must be made by the bug bounty hunter who originally reported the vulnerability to Scrapfly.
- Duplicate reports are not eligible for disclosure.
Requesting Permission
To request permission for disclosure, you may email legal[at]scrapfly.io
Scrapfly has the right to approve or deny the request for any reason.
Violation of Terms
By participating in Scrapfly’s bug bounty program, you are agreeing to this policy.
If any of the rules of this disclosure policy are broken, Scrapfly has the right to legal action against the person who violated the rules. That person will also be banned from all future participation in the Scrapfly bug bounty program.