NO BOUNTY PAYMENTS - FREE SUBMISSIONS ONLY

You MUST get our written permission before performing any testing of any kind.

Whilst we work hard to keep our services secure, we know that nothing can be 100% secure. We take notifications about security issues seriously, and will respond swiftly to fix verifiable security issues. We encourage you to report security issues by emailing bugreport@ our main domain, so that we can fix them, and keep our users safe.

Payments

There are currently no bounty payments. Unfortunately it is not currently possible for us to offer a paid bug bounty program. We would, however, like to offer a token of our appreciation to security researchers who take the time and effort to investigate and report genuine security vulnerabilities to us according to this policy.

What is the scope of this policy?

Our responsible disclosure policy applies to Schedule it Ltd's products, services and systems. That means that vulnerabilities found in vendor systems fall outside of the scope of this policy scope, and should be reported directly to the vendor. If you are not sure, contact us and we will be happy to help you.

Who does this policy apply to?

This policy applies to anyone who submits a potential vulnerability report (besides employees or affiliates of Schedule it Ltd).

Who may be eligible for a bounty?

We may pay, but do not guarantee, a bounty for certain types of vulnerability reports. You may be eligible for a bounty where: 1) the security issue is unique in scope; 2) you are the first to report the issue; 3) the security issue has not been disclosed publicly or to any third party; and 4) payment to you is not prohibited by any law and/or regulation that applies to Schedule it Ltd. Again, the payment of a bounty is entirely at our discretion.

Which domains are in scope?

The domain scheduleit.com and any subdomain, with the exception of subdomains for our third party vendors.

What issues are eligible?

Please don't perform research that could impact our products, services or other users. Prohibited activities include, but are not limited to:

Degrading the performance of Schedule it Ltd's products, services, or the experience of our users in any way

Conducting activities that risk disruption of our service

Using automated tools to find vulnerabilities. They are noisy and might result in denial of service

Engaging in activities that may result in the unauthorized access, modification, or loss of data belonging to either us or our users

Performing social engineering (including phishing) or denial of service attacks on Schedule it Ltd's products or services

Using or accessing information or accounts that do not belong to you

Violating any applicable laws

Examples of issues that we would like to know about include typical security vulnerabilities, such as:

Authentication or Authorization flaws

Cross-site Scripting

Cross-site request forgery

File inclusion

Open redirect

Server-side code execution

Injection Flaws

Significant Security Misconfigurations

What issues are not eligible?

Issues already known to us and previously reported issues

Attacks that require social engineering (phishing, spam, etc.)

Self-XSS

Missing HTTP Headers, except where their absence fails to mitigate an existing attack

Volume-based denial of service

Lack of rate limits

Attacks requiring physical access to the victim device

Attacks requiring access to the local network of the victim

Assumed vulnerability based upon version disclosure only

Missing cookie flags on non-sensitive cookies

Reports of insecure SSL/TLS ciphers (unless a PoC is present and not just a report from a tool/scanner)

Flaws affecting out-of-date browsers and plugins

Server-side non-confidential information disclosure such as IPs, server names, and most stack traces

What information should I include?

Please report security issues using this form in the following format and emailing to bugreport@ our main domain:

Name:

Bug type:

Domain or Product:

URL:

PoC, screenshots, video, etc.:

Please only include one potential vulnerability per report, and do not send automated scanner results without proof of exploitability. We request that you keep reports short and clear; we will contact you if we need more information.

Other guidelines

We reserve the right to pay you a bounty, in an amount to be paid at our discretion, conditioned upon your compliance with this policy. Submission of a report does not guarantee payment.

Potential vulnerabilities may not be disclosed publicly until Schedule it Ltd has reviewed and remediated any issue.

Your participation does not create any kind of employment or partnership between you and Schedule it Ltd, and you must comply with all laws in connection with your participation in this program.

Any information you receive from Schedule it Ltd through your participation must be kept confidential.

All rights not otherwise granted within this policy are expressly reserved by Schedule it Ltd, including intellectual property rights.

Schedule it Ltd reserves the right to discontinue the responsible disclosure program without prior notice at any time.

Any other questions or concerns related to security? Please contact us and we will try to help!