Vulnerability Disclosure Program (VDP)

Introduction

Pitchbox is dedicated to protecting data safety and security for our users. Our Vulnerability Disclosure Program provides security professionals with clear guidelines for conducting vulnerability discovery activities to encourage responsibility, professionalism, and discretion when dealing with any potential sensitive matters.

Guidelines

When acting in accordance with Pitchbox’s VDP objectives we expect you to:

  • Operate in good faith. Never intentionally view, store, modify, or destroy data that does not belong to you, or cause any harm that would impact application performance.
  • Notify us via the approved channel as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent access, or use the exploit to pivot to other systems.
  • Act in accordance with our Terms of Service.
  • Maintain the confidentiality of all information related to your findings. 
  • Only perform testing on in-scope systems and services (see below).

Please note that participants of this program are required to maintain the confidentiality of all information related to your findings. Never disclose vulnerabilities or privileged information to any entity outside of Pitchbox before receiving our explicit permission. This will provide us the opportunity to remediate the issue(s).

Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test Methods

The following test methods are NOT authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.

In-scope Systems and Services

Pitchbox’s Vulnerability Disclosure Program covers Pitchbox-owned web services under the following domain(s):

*.pitchbox.com

Exclusions

Some components and services of Pitchbox are either hosted or operated by third-party vendors or partners (e.g. docs.pitchbox.com), and are excluded from the scope.

Vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system is in scope or not, please contact us first.

In-scope vulnerabilities include, but are not limited to security misconfigurations, SQL and XML injections, RCE, CSRF, XSS, etc.

Out-of-scope

Only manual or semi-manual tests will be accepted. Automated scan reports using scripts and/or tools are out of scope. 

The following is out of scope: 

  • Attacks involving stolen credentials or physical access to endpoint devices
  • User enumeration/brute forcing attacks
  • Denial of Service (DoS)
  • Man-in-the-Middle-Attacks (MITM)
  • Physical attacks on Pitchbox offices and property
  • Social engineering and phishing attacks
  • DNS configuration, Missing SPF/DKIM/DMARC issues
  • Missing rate limiting protections
  • Any other submission assessed to be of low risk or impact

Reports and activities that violate the allowed testing methods and scope parameters outlined above will be considered as acting in bad faith and will be treated as illegal.

Reporting and Submission Requirements 

Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

If you believe you’ve discovered a security issue or vulnerability in one of our products, please email us at vdpreport@pitchbox.com and include the following details:

  • Full description of the vulnerability or issue.
  • Step-by-step instructions on how to replicate.
  • Your report must contain concrete documentation (no theoretical/speculative assumptions).
  • Supporting evidence such as screenshots, videos, traffic logs, Web/API requests and responses, and IP address used for testing.
  • Refrain from uploading screenshots, videos, or exploit code to a publicly accessible server/repository.
  • Attach your supporting evidence directly to the email(do not zip or archive).

We support PGP-encrypted emails so you can use our PGP public key to encrypt your communications with us.

Thank you for helping us keep Pitchbox safe and secure.