For Professional Security Researchers: Bug Bounty Program
Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Smartling works with security experts across the globe to stay up-to-date with the latest security techniques. If you've discovered a security issue that you believe we should know about, we'd love to work with you. Our bug bounty program provides a monetary reward for these efforts.
The Smartling's Bug Bounty Program applies to security vulnerabilities found within Smartling's public-facing online environment. This includes, but is not limited to, Smartling's websites, exposed APIs, mobile applications, and devices. For the protection of our customers, we do not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
Program Status
Since March 10, 2018, Smartling has decided to close the Public Bug Bounty Program, and only run the Private Bug Bounty Program. Reports without previous authorization from Smartling ITSEC-Team will not be accepted, answered, and/or rewarded.
How to Participate
Highly skilled security researchers can participate in Smartling's Private Bug Bounty Program. Send us information about yourself to itsec@smartling.com, and we will answer you with an authorization ID. Include the authorization ID when communication with our team. Smartling reserves the right to refuse participants' requests without additional information.
Bounty Eligibility
- You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
- You must be the first to report the issue in order to be eligible for bounty.
- You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
- Smartling's partners are not eligible for participation in this program.
Program Rules
- Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
- Do not attempt to view, modify, or damage data belonging to others.
- Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
- Do not attempt to gain access to another user’s account or data.
- Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Eligible Targets
At this time, the scope of this program is limited to security vulnerabilities found in the following targets:
- www.smartling.com
- dashboard.smartling.com
- sso.smartling.com
- api.smartling.com
- support.smartling.com
- www.verbalizeit.com
- customers.verbalizeit.com
- ti.smartling.com
Exclusions
The following vulnerabilities are not eligible for bounty.
- Network level Denial of Service attacks
- Application Denial of Service by locking user accounts
- Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
- Disclosure of known public files or directories, (e.g. robots.txt)
- Outdated software / library versions
- OPTIONS / TRACE HTTP method enabled
- CSRF on logou
- CSRF on forms that are available to anonymous users
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Self-XSS and issues exploitable only through Self-XSS
- Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
- Attacks requiring physical access to a user's device
- Attacks dependent upon social engineering of Smartling employees or vendors.
- Username enumeration based on login or forgot password pages.
- Enforcement policies for brute force, rate limiting, or account lockout.
- SSL/TLS best practices.
- SSL attacks such as BEAST, BREACH, Renegotiation attack.
- Clickjacking, without additional details demonstrating a specific exploit.
- Mail configuration issues including SPF, DKIM, DMARC settings.
- Use of a known-vulnerable library without a description of an exploit specific to our implementation.
- Password and account recovery policies.
- Presence of autocomplete functionality in form fields.
- Publicly accessible login panels.
- Lack of email address verification during account registration or account invitation.
- Lack of email address verification password restore.
- Session control during email/password changes.
Rewards
You may be eligible to receive a monetary reward if:
- You are the first person to submit a site or product vulnerability
- That vulnerability is determined to be a valid security issue by Smartling's security team
- You have complied with all Program Terms
All bounty amounts will be determined at the discretion of the Smartling Inc. Bug Bounty team who will evaluate each report for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.
The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $10,000 USD. Smartling's Bug Bounty team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Smartling Bug Bounty team are final.
Payment
You'll need to submit an invoice to receive payment. The invoice has to meet all legal requirements. See sample invoice template: Invoice template.xlsx Once we have that information, awarded bounty payments will be made automatically. Smartling accepts the following payment methods.
Method | Required Items |
PayPal | PayPal email address |
Payoneer | Payoneer ID or registered email |
Wire | First and last name, address, bank name, SWIFT, IBAN number, sort code |
ACH | Routing and account number |
Submit Your Report
Vulnerability information is extremely sensitive. When using email to report a potential security issue to Smartling IT-Security Department, use itsec@smartling.com.
- It's important to include at least the following information in the email:
- Organization and contact name
- Your Reference / Advisory Number
- Products or solutions and versions affected
- Description of the potential vulnerability
- Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
- Information about known exploits
- Disclosure plans, if any
- If you want public recognition
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. A well written report will allow us to more quickly and accurately triage your submission.
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- A clear description of the issue, including the impact you believe it has to the user, Smartling or others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Your recommendations to resolve the issue.
- Give us a reasonable time to correct the issue before making any information public
Terms and Conditions
There are constraints on who may participate in the Smartling Bug Bounty Program (the "Program"). In addition, there may be additional restrictions depending upon applicable local laws.
- The parties to this agreement are you and "Smartling Inc."
- You must abide by the law.
- "Smartling Inc." employees, contractors, and their families are not eligible for rewards.
- By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than "Smartling Inc." via the our Bug Bounty Process.
- Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of Smartling Inc.
- By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Smartling Inc. a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities. Only the first report of a given issue that Smartling had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
- Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Smartling.
- The Program is focused predominantly on: Internet-facing Smartling Inc. websites executing on internet domains that provide significant business value to Smartling, and are supported directly by Smartling and its suppliers; Smartling-branded mobile applications; devices; and the Smartling API Platform. Vulnerabilities submitted outside this scope are generally less likely to receive recognition or rewards under this Program.
- You are responsible for notifying Smartling Inc of any changes to your contact information, including but not limited to your email address. Failure to do so may lead to the forfeiture of Bounty Awards.
- Smartling Inc. reserves the right to discontinue the Program at any time without notice.
- You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
- If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
- Your testing activities must not negatively impact Smartling or Smartling's online environment availability or performance.
Confidentiality
Any information you receive or collect about Smartling through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Smartling sites, without Smartling's prior written consent.
Response SLA
Response efficiency metrics are tracked and reported in business days - Monday to Friday from 8 AM to 5 PM Eastern Time (UTC -5:00 / - 4:00).
Metric | Number of Days |
Time to respond to private bug bounty participation request. | 5 |
First response time | 1 |
Triage time | 5 |
Bounty time | 30 |