Rainforest QA Bug Bounty Program

Rainforest recognizes the importance of security researchers in helping keep our customers safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Responsible Disclosure

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any Rainforest user data.
  • Not defrauding Rainforest users or Rainforest itself in the process of discovery.
  • In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Rewards

We pay in USD via Paypal for reporting a previously unknown security vulnerability of sufficient severity. There is no maximum reward, and we may award higher amounts based on severity or creativity of the vulnerability found.

We will also provide attribution on this page as a thank you.

Eligibility

Rainforest reserves the right to decide if the minimum severity threshold has been met and whether it was previously reported.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Click jacking
  • Remote code execution
  • Obtaining user information

In general, the following would not meet the threshold for severity:

  • Vulnerabilities on sites hosted by third parties (blog.rainforest.com, analytics, etc) unless they lead to a vulnerability on the main website
  • Denial of Service and brute-force attacks
  • Non-ideal but non-exploitable configuration issues
  • Spamming or phishing
  • Vulnerabilities in third party applications, such as Stripe or Heroku
  • Vulnerabilities in third party applications which make use of the Rainforest API

For example, "Your servers are vulnerable to Heartbleed" (with reasonable proof) will absolutely get you a reward, but "Your servers don't get an A+ rating on SSL Labs" will definitely not. Don't expect a response for any reported issues that don't fit with the guidelines.

How To Disclose

You can disclose a vulnerability in the following ways:

Please include if possible:

  • Description and potential impact
  • Steps to reproduce the issue or a proof of concept
  • Name and link for attribution on this page
  • Email address of your Paypal account for payout
  • Thank you for helping keep our community safe!

Hall of Fame

2015