Note: The Bug Bounty Program as stated below is not live yet. We will keep you informed about the go live of our bug bounty program in this space.
GIOTTUS BOUNTY PROGRAM
Giottus focuses on becoming the
industry leader, and we are in the process of continuous improvement to achieve
this goal. We are open for all and any feedback and encourage you to inform
us if you suddenly discover a bug or have some ideas to improve our services.
Note: This program is for the disclosure of software security
vulnerabilities or new ideas to improve our services only. If you believe your Giottus account has been compromised,change your password and contact support.giottus.com immediately.
1.
Responsible Disclosure
·
Security of
user data and communication is of utmost importance to Giottus.
In pursuit of the best possible security for our service, we welcome
responsible disclosure of any vulnerability you find in Giottus.
Principles of responsible disclosure include, but are not limited to:
·
Accessing or
exposing only customer data that is your own.
·
Avoiding
scanning techniques that are likely to cause degradation of service to other
customers (e.g. by overloading the site).
·
Keeping within
the guidelines of our Terms and Conditions.
·
Keeping details
of vulnerabilities secret until Giottus has been notified
and had a reasonable amount of time to fix the vulnerability.
In order to be eligible for a bounty, your submission must be
accepted as valid by Giottus. We use the following
guidelines to determine the validity of requests and the reward compensation
offered.
a. Reproducibility
Our engineers must be able
to reproduce the security flaw from your report. Reports that are too vague or
unclear are not eligible for a reward. Reports that include clearly written
explanations and working code are more likely to garner rewards.
b. Severity
More severe
bugs will be met with greater rewards.
Examples of Qualifying Vulnerabilities
·
Authentication
flaws
·
Circumvention
of our Platform/Privacy permissions model
·
Clickjacking
·
Cross-site
scripting (XSS)
·
Cross-site request
forgery (CSRF/XSRF)
·
Mixed-content
scripts
·
Server-side
code execution
Examples of Non-Qualifying Vulnerabilities
·
Denial of
Service vulnerabilities (DOS)
·
Possibilities
to send malicious links to people you know
·
Security bugs
in third-party websites that integrate with Asana
·
Mixed-content
scripts
·
Insecure
cookies
·
Vulnerabilities
that require a potential victim to install non-standard software or otherwise
take active steps to make themselves be susceptible.
2.
Severity
We appreciate your will to
use the best industry service and for confirmed bug reports and new ideas that
will be implemented by our team. We will be segregating bugs into low, medium
and high priority and will reward based on the severity of bugs.
Only 1 user will be awarded
per vulnerability. If we receive multiple reports for the same vulnerability,
only the person offering the first clear report will receive a reward.
3.
Reporting
a.
How to report a weakness
You can
report weaknesses to us by email at
security@giottus.com. State concisely in your email what weakness (es) you have found. We will take
action immediately.
b.
What we do with your report
A team of
security experts will investigate your report and will contact you within two
work days to discuss the weakness, how you found it and follow-up action.
c.
Your privacy
We will
only use your personal details to take action based on your report.
We will not share your personal details with others without your express
permission.
4.
Important Rule
The fair play
rules apply; we only reward those who DO NOT violate the privacy of other
users, DO NOT destroys data, and DO NOT disrupts our services.
At all times,
please be patient! Give us a reasonable amount of time to fix the bug before
disclosing it to anyone else, and kindly warn us before disclosing it.
This is a
discretionary program and Giottus reserves the right
to cancel the program; the decision whether or not to reward is at
our discretion.
5.
Contact
Please email us
at security@giottus.com with any
vulnerability reports or questions about the program.