Request Demo

    Responsible Disclosure

    Salsify looks forward to working with the security community to find vulnerabilities in order to keep our business and customer data safe.

    Please read this entire policy before performing any security testing.


    Who Are We

    Salsify provides a best-in-class Product Experience Management (PXM), allowing our customers to create best-in-class commerce experiences through our integrated Product Information, Digital Asset Management, and Experience Builder services. 

    •  Retailer/Distributor clients are able to syndicate in-store and online product experiences across a brand’s entire indirect selling ecosystem
    •  Marketplace & D2C customers are able to manage direct commerce experiences across marketplaces, D2C brand sites, and social commerce channels with an order & inventory listing exchange in the same platform as a brand’s product content data.


    Bug Bounty Payments

    Our disclosure program does not offer bug bounty payments. 


    In Scope Assets

    Note: Only findings relating to these domains will be treated as valid.


    Response Targets

    We will make best efforts to meet the following SLA for Hackers participating in our program.

    First Response = 14 Days

    Time To Triage = 30 Days

    Time To Resolution = Dependent On Severity

    We'll try to keep you informed about our progress throughout the process.


    Disclosure Policy

    •  As this is a private program, please do not discuss this program or any vulnerabilities, even resolved ones, outside of the program without express written consent from Salsify.
    •  Follow the Program Rules outlined below.


    Program Rules

    •  Please provide detailed reports with reproductive steps.  If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
    • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
    • When  duplicates occur, we will only triage the first report that was received (provided it can be fully reproduced).
    • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
    • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
    • Make a good faith effort to avoid privacy violations, destruction of data, and interruption of our service.  Only interact with accounts you own or with explicit permission of the account holder.


    Out Of Scope Vulnerabilities

    When reporting vulnerabilities, please consider

    •  Attack scenarios
    •  Exploitability
    •   Security Impact


    The following types of issues are considered out of scope:

    •  CSP configuration.
    •  X- Frame configuration.
    •  Clickjacking on pages with no sensitive data, including those referencing ‘demo’ in the URI.
    • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
    • Attacks requiring MITM or physical access to a users device.
    • Previously known vulnerable libraries without a working Proof of Concept.
    • Comma Separated Values (CSV) Injection without demonstrating a vulnerability.
    • Missing best practice in SSL/TLS configuration.
    • Any Activity that could lead to the disruption of our service (DoS).
    • Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.
    • Rate limiting or brute force issues on non-authenticated endpoints.
    • Missing best practices in Content Security Policy.
    • Missing HttpOnly or Secure flags on cookies.
    • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
    • Vulnerabilities only affecting users of outdated or unpatched browsers.
    • Software version disclosure / Banner identification issues / Descriptive error. messages or headers (e.g. stack traces, application or server errors).
    • Tabnabbing.
    • Open redirect - unless an additional security impact can be demonstrated
    • Issues that require unlikely user interaction.


    Safe Harbor

    Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.  If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.



    If you believe your finding meets the requirements of a valid report for an in-scope asset, please use the following template to ensure you include the following sections in your report:


    ——- TEMPLATE START ——-

    ## TITLE


    ## SUMMARY

    [add a summary of the vulnerability]


    ## IMPACT



    [add the specific steps to reproduce the vulnerability]

    1.   [add step]
    2.   [add step]
    3.   [add step]
    4.   [… etc]






    ## SUGGESTED FIX (optional)


    ## CONTACT

    [include your email address]


    ——- TEMPLATE END ——-


    Email your report to:


    Policy Valid Date

    This policy is valid as of July 1st 2021