# Bug bounty program

#### Rules

* We will only pay out for disclosures in scope
* Duplicates will not be accepted, you must be the first person to report the vulnerability
* We cannot pay out to sanctioned regions
* Do not access or test our production instance

#### Scope

* Only <https://staging-2.canvasapp.com/> is in scope. Do not test or attack our production environment.
* Issues that significantly affect confidentiality or integrity of user data

#### Out of scope

* Production canvasapp.com
* Marketing content, docs, blog content
* Output from automated scanners
* No load testing (DoS, DDoS)
* Self-XSS
* Social engineering
* Issues that only affect unsupported browsers (e.g. IE6)
* Missing or incorrect SPF, DMARC, DKIM records
* DNSSEC
* Cookie duration
* Widely-known vulnerabilities in libraries, including public zero-days
* Exploits that require user action (e.g. in browser dev tools)
* Missing HTTP headers
* Clickjacking
* Information disclosure of non-user data
* CSRF on anonymous forms
* CSRF attacks that require knowledge of the CSRF token
* Public key disclosure
* Issues with third-party services
* UI/UX issues that do not impact security
* Attacks that require MITM
* SSL/TLS best practices
* Any other trivial bugs

#### Payouts

* P1: $200
* P2: $100
* P3: $50
* P4: $25

#### Disclosure

1. Email <security@canvasapp.com> with the details, steps to reproduce and proof of concept
2. If your disclosure is accepted, you will receive further instructions.
3. If accepted, you will need to provide Form W-9/W-8BEN before your payout can be processed.