Salsify looks forward to working with the security community to find vulnerabilities in order to keep our business and customer data safe.
Please read this entire policy before performing any security testing.
Who Are We
Salsify provides a best-in-class Product Experience Management (PXM), allowing our customers to create best-in-class commerce experiences through our integrated Product Information, Digital Asset Management, and Experience Builder services.
- Retailer/Distributor clients are able to syndicate in-store and online product experiences across a brand’s entire indirect selling ecosystem
- Marketplace & D2C customers are able to manage direct commerce experiences across marketplaces, D2C brand sites, and social commerce channels with an order & inventory listing exchange in the same platform as a brand’s product content data.
Bug Bounty Payments
Our disclosure program does not offer bug bounty payments.
In Scope Assets
Note: Only findings relating to these domains will be treated as valid.
We will make best efforts to meet the following SLA for Hackers participating in our program.
First Response = 14 Days
Time To Triage = 30 Days
Time To Resolution = Dependent On Severity
We'll try to keep you informed about our progress throughout the process.
- As this is a private program, please do not discuss this program or any vulnerabilities, even resolved ones, outside of the program without express written consent from Salsify.
- Follow the Program Rules outlined below.
- Please provide detailed reports with reproductive steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we will only triage the first report that was received (provided it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption of our service. Only interact with accounts you own or with explicit permission of the account holder.
Out Of Scope Vulnerabilities
When reporting vulnerabilities, please consider
- Attack scenarios
- Security Impact
The following types of issues are considered out of scope:
- CSP configuration.
- X- Frame configuration.
- Clickjacking on pages with no sensitive data, including those referencing ‘demo’ in the URI.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a users device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) Injection without demonstrating a vulnerability.
- Missing best practice in SSL/TLS configuration.
- Any Activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.
- Rate limiting or brute force issues on non-authenticated endpoints.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities only affecting users of outdated or unpatched browsers.
- Software version disclosure / Banner identification issues / Descriptive error. messages or headers (e.g. stack traces, application or server errors).
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If you believe your finding meets the requirements of a valid report for an in-scope asset, please use the following template to ensure you include the following sections in your report:
——- TEMPLATE START ——-
[add a summary of the vulnerability]
## STEPS TO REPRODUCE (POC)
[add the specific steps to reproduce the vulnerability]
- [add step]
- [add step]
- [add step]
- [… etc]
## REFERENCE MATERIAL
## ATTACHMENTS / SCREENSHOTS
## SUGGESTED FIX (optional)
[include your email address]
——- TEMPLATE END ——-
Email your report to: firstname.lastname@example.org
Policy Valid Date
This policy is valid as of July 1st 2021