For guidance on reporting security vulnerabilities to SoContact, please refer to this policy, which should be read in the context of SoContact’s Terms of Use.

If you have found a vulnerability on one of SoContact’s products (i.e. dashboard, API, Chrome extension, etc.), we encourage you to submit your report to us as soon as possible and to not make the vulnerability public until it has been fixed and verified by SoContact.

SoContact will not file a lawsuit against you or report you to law enforcement assuming the vulnerability was reported responsibly and that it meets the following criteria present in this Agreement.

Bug Bounty Program

About

SoContact considers security as a crucial aspect of its operations, which is of utmost importance for its customers and products. To ensure maximum security, SoContact has implemented a range of security measures and is determined to safeguard application data, eliminate any potential vulnerabilities, and ensure uninterrupted business operations.

For questions concerning our security please contact info@socontact.com.

Vulnerability Disclosure

To report any security concerns or vulnerabilities related to SoContact’s products, please reach out to info@socontact.com. It is recommended to include a proof of concept, a list of tools used (including their versions), and the output of those tools. At SoContact, all disclosures regarding security are treated with utmost seriousness. Any vulnerability bounties (also known as bug bounties) are assessed on a case-by-case basis.

• Notify SoContact of the vulnerability and provide all of the details available to you.
• Please provide enough detail to be able to fully identify and reproduce the issue, which may include the product, version, URL, requests/responses, screenshots, etc.
• Provide SoContact with a reasonable time period to fix or address the issue before publicly disclosing.
• In your research, please avoid any possible service disruption, accessing private user data, or destroying user data.
• Do not submit reports from automated exploit scanning tools without first confirming the issue is in fact present.
• Do not contact SoContact employees or users for the purpose of phishing or social engineering.

Rules you will follow

• Never try to access another user’s account or data.
• Do not perform or try to perform any action/attack that could harm the integrity and reliability of our data and/or services.
• Spam/DDos attacks are not permitted. Do not perform actions that could have an impact on our other users while testing.
• A bug should never be disclosed publicly before it is known to be fixed.
• Vulnerability tests should only be tested on websites that you know for sure to be operated by SoContact.
• The use of Scrapers, Scanners and/or any other form of automated tools while testing is forbidden.
• Under no circumstances should you engage in non-technical attacks, such as phishing and/or physical attacks against our infrastructures, our user and/or our employees.
• In case of doubt, always contact us at info@socontact.com.

Rules we will follow

• Your submissions will get a quick response.
• You will always be updated on our progress in fixing a bug you submitted.
• No legal action will be taken against you if you follow our rules.

Actions that don’t qualify

• Bugs related to browser extensions and those that do not affect the latest version of modern browsers (such as Chrome, Firefox, Edge, Safari) are out of scope.
• Bugs that require highly improbable user interaction are out of scope.
• Bug submissions that do not include written steps to reproduce the issue or only provide video demonstrations are not acceptable.
• Insecure cookie settings for non-sensitive cookies.
• Disclosure of information that is already public or information that does not pose a significant risk.
• Bugs found in content or services that are not owned or operated by SoContact.
• Scripting or employing other forms of automation or brute-force tactics to exploit intended functionality.
• Tabnabbing and Clickjacking.
• Rate Limite.
• Cipher Suite (TLS protocol).
• In case of doubt, always contact us at info@socontact.com.

Categories to Look for Vulnerabilities

We are primarily interested in hearing about the following vulnerability categories:

• SQL Injection
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Authentication Bypass
• Insecure Direct Object References
• Remote Code Execution
• Sensitive Data Exposure

Vulnerability Categories that are Out of Scope

The following categories are considered out of scope and should not be explored during your vulnerability research:

• Denial of Service (DoS)
• SSL vulnerabilities (i.e. misconfiguration or version)
• Brute force attacks
• User enumeration
• Misconfigured flags on non-sensitive cookies
• Logout CSRF
• Issues only present in deprecated browsers or plugins
• Clickjacking on pages without authentication and/or sensitive state changes
• Vulnerabilities that require users to perform highly unlikely actions (i.e. disabling browser security features, sending an attacker critical info, etc.)

Rewards for Bug Bounty

• Critical Severity Vulnerability: $1200
• High Severity Vulnerability: $600
• Medium Severity Vulnerability: $300
• Low Severity Vulnerability: $150