At Bynder, we are committed to keeping our systems, network and product(s) secure. Despite the measures we take, the presence of vulnerabilities will always be possible. When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take swift action to shore up our security.
Under Bynder’s Responsible Disclosure Policy, you are allowed to search for vulnerabilities, so long as you don’t:
- execute or attempt to execute a Denial of Service (DoS)
- make changes to a system
- install malware of any kind
- social engineer our personnel or customers (including phishing)
- scan or run tests in a manner that would degrade the operation of the service or negatively affect our customers in any way
- physically attack or damage Bynder property, offices or data centers or attempt to do so
- run tests on third party applications, websites or services that integrate with or link to Bynder
- scan or attack the Amazon Web Services infrastructure or attempt to do so
Breaching the above restrictions may result in Bynder launching an investigation and/ or taking legal action to the greatest extent of Bynder’s legal obligation and rights or that of our partners and customers.
If you do discover a vulnerability, please contact us as soon as possible by sending an (encrypted) email to [email protected]. To prevent information falling into the wrong hands, please use the following public key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF17iVQBEADUnMB13cfKK/a4Fs5bbxmfA9Lfxs9qea315ABTMFCWkY52NYV2 UL/h7QywncmyrK06zs9Z1yR7w8cFWWfWIThx9GaPBbzgKjhP7wUPB2jFRF5gXH56 qg/6o0C0mytxDfte8o4IIM/e6wngfhvDA6EIS/P/RCVfcbk/UGLcD5YAKt3BZ9PM cLefdbyEp/QtAus/XW9akDTYzFxC0J8ItVQIiLi9hUCiWCqObVW2kguVa+FttRJ6 925TJf+2YfvIT+RZLTExnbmsAIWZW6lthdss+NJcR+iqbrvVU0edYD0xFJlAiig9 V7LNSPRFPXb9zgzLSy1Tr1+3TDoiOFyXwDI9d4ChxdER8UnP+tjPsoscQEELNPV3 nl8e0acuV/0c5X6tXdmVkIznrFAQl363q/GjkvfyUatbr34Seuf3TZwxxWAbSO3+ ccoJG/JJ1q/X3u3j/7CosXLmhNLZEvpsTPpP3U7rpiGO8PPSuW3/OXVps9hJDPH4 Ng5BdzmLwyWDnFljqqxChiZtuZMKmD6BWzWc2Q+EGkylEzQY6ex5DyBdslScn24O MaflrOVYHGdfEUJxiRF5osRtcyAsdu0ZGrQScfwFoJ1fBJs0Bg0fPI0KgFaVLehN aHhiUNzy+9uNF8L1RlP83wJX7SrEtT/x9uWtKIHdOUedx2f62e7e1GvrzwARAQAB tClzZWN1cml0eUBieW5kZXIuY29tIDxzZWN1cml0eUBieW5kZXIuY29tPokCTgQT AQgAOAIbAwIeAQIXgBYhBC/IX9IkmEhtsEig9NGy5gErXQQpBQJde4l+BQsJCAcD BRUKCQgLBRYCAwEAAAoJENGy5gErXQQpEwwP/3f2L/ItCmIErO7xbp7xLcmaemoI +1QNJokP45JyohWBGoTIWc5bYPPZTv32Xt0LAN0n10PS/9aTnPpkgEcrFInFxcSp v3rQHa4pTSH2YbJpRd1vYWmux2mVuzsdbxqsD7bgQUZpTvzo58Dpnw+XN45N4UuB uthWYBd0zQL+X6/0RheaZyDiAom32Zk/idBQICxPFbENp7UVY5c4FawsN+s6vFGF QzLIazxWwi7yJ0nXjdx4GjlpTot3rpuXVspycfYP3Eo8v0nbZcTC+h7IYPE4FqNQ ecme302iL4RTvKrvRRscXpYMfDaqVyOg2dq34nREOziwuzNn7M6hPHrr7XtAvA5m 4U98GYoneYRadU4QrCiIf8HGdboudnszPpuRM6hMpSTjrSXnzzCExKeEea6DFMD9 2lirr2/lC7/rzAaA0xhfVfdfcwvaEWIrvgLWKiQ34t2WrMCwgG6yb60FeYq++nvt 8PxLTTgnWAZ4epIYWVVkdDBrin6D8f0v6d8Jv09gu9AjRm+oEveQeiZAsle40FpE cz0tU3nv1XruOvzJkA9ejIhIcs42TSVXLYPH+AwAAfoZC4DHJRA+0PNSqKhOBlAc EopkuRelodjQ5UOHHJluYv82O3zo9OD6TGxNcbE5x3tG2+l98Zkn1lqIryyWMqjb KPR7a3htRTX0OiTWuQINBF17iVQBEAC+jUxgJ/x4RdH4cIemJ/5qtPb2QlaPPVN5 1F/xZUon9j4cSmpA/HuXfjPP6JgbCtafGSBOcvXBEcwsC6WvYlFUIECQEMVN8tow 7O8Brr2g4CsvreGHzwF4L+BvytVRDFHqe+lWhZyMTpjJiE75DvUSUlQsNl+LSahO 2g9Z4nNtkPPMi8C9XyhsW01JR0tcsKpvXV8Yzd7YDBYN83/bJd2IcVn4JHxl0Ymu 3Oafw73fJ27S5V+CI4SDmE7JzbiNirLwleigsIDIvUVm2lDAtyH9zFlB/IvR6Ut6 EzlMP1SICVnyWyN+Vzn+4X8rVL30KgR7YRVYNY96wuPxlrC34nCDoxoYz92F/o04 ytcvNvJAHeHc0y/IIFO2ip8pSbK1gw+l/usfYAX52dwBfBEw8fXZny7yRVPe+fp/ Rd+6bNHVIiQkPb661UGjE8HjM5mgpeWlNzGmiXC+SPk4g1lws5ahV6OYeP2WWbHH iLC0X0ZaQCyiSwOVGRxN1LYpE2/TGoSJhwR9CMDTV6JTmq2TE3OmzkBr/OR4dr+l GKXVq5knPteDXb+dUadAJGg4JyWUD3kL5+xypr/YzfVTvR3wRvts5P5IZ6Swivg1 9c6V8IWogK4qwOq+wxsu6uSaYrc7yl8sfbB5wlUyQXvfUMps5J3SkwL9ZIYDoFI1 3WVbi4E5zQARAQABiQI2BBgBCAAgFiEEL8hf0iSYSG2wSKD00bLmAStdBCkFAl17 iVQCGwwACgkQ0bLmAStdBCmwGRAAzRth9Hss84McCGhayGGV/3Nto3NzcZJBvwBO SC/iAOU/Uv1Xu8Y/rh1QXWbrFDe0cAJ+pWmFMTrggzZvziXvaovaByTAaTFZn6UC vjtpiyYOOFX9EMsmje2OHy+CIqqDZUnuo8Dqa4QrKBdoJzn2tsBRx+S/HoryFzSt qLVKNFAuqvcD7mwJudxCeMRg5LkrR9SCk7WuigThy810+e24C3xePoDBDOtk3juu jNTraPpesenokPeRqJVQ6H7HGAyFO8Xx1PqiTUnnF0UAQyzp4weas7agwl/LKtiP WBk21S0Vm/LKV9Slp/wfWhdxaW+KESROCJISxldckvPbdAfxIoKoh3GVEqp1QaIV rCz8FTcLSlgBj4ljIl+sGKB2BrlRNuWxq1IbR1IG2sJCbNVVPyb9ybY1BFx6z+DV myPL7c1SNZVbcxi6m1LQSvmI8hLdRohD005fWtBg6hLYIjuqp6E5bu2hQxEprNGF 0U9FGeWIZq9m5OxETEJn7NNF4zBnpR++eLUMXVby+BT9xbfupSfkAhCNq2ObXv/I iEEqIhh+wB6jTSi2tGqGKaeFHsKqEoGV3zs4UBdeGQ7Mkcg6thQt2PAmOQVrNpZ4 VnH9gsn1vzVktE/pgn0F1SXZy3scFBaZ7UfZCdXOYtFMTsbne5uuZGK4K4jBTYH+ tTjLnOg= =WDg1 -----END PGP PUBLIC KEY BLOCK-----
What we ask of you:
- Submit your vulnerability report as soon as possible after discovery
- Do not abuse or exploit discovered vulnerabilities in any way for any purpose
- Do not share discovered vulnerabilities with any entities or persons other than Bynder and its employees until after Bynder has confirmed the vulnerability has been resolved
- Provide us with adequate information to enable us to investigate the vulnerability properly (to be able to investigate properly, we will need to be able to efficiently reproduce your steps)
- Provide us with information required to contact you (at least telephone number or email address)
What we promise:
- We will respond to your report within 5 business days of receipt, with our evaluation of the report and an expected resolution date.
- We will keep you regularly informed of our progress toward resolving the vulnerability.
- If you have followed the above instructions, we will not take any legal action against you regarding the report.
Rewards and attribution:
- Please do not ask for a reward before sharing the vulnerability, as we need to evaluate your report before responding.
- If you report a vulnerability that is unknown to us, and if you are not from a country where we are prohibited by law from making payments (e.g. due to sanctions), we may decide to offer you a reward based upon our assessment of the criticality of the vulnerability.
Assets in scope:
Accounts that can be self provisioned at https://www.bynder.com/en/trial/
Out of scope assets:
- For all our acquisitions, in order to give our development and security teams time for internal review and remediation, we will introduce a six-month blackout period. Vulnerabilities reported in that period will not qualify for a reward.
Out of scope vulnerabilities:
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Password and account recovery policies, such as reset link expiration or password complexity
- Issues that require unlikely user interaction
- Attacks requiring MITM or physical access to a user's device
- Attacks that require prior access to a user's email account
- Reports from automated tools or scanners
- Clickjacking/UI Redressing
- Reflected file download
- Verbose error pages (without proof of exploitability)
- SSL/TLS Best Practices
- Incomplete/Missing SPF/DKIM
- Fingerprinting / banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Content spoofing (text injection)
- OPTIONS HTTP method enabled
- Recently disclosed zero-day vulnerabilities that had an official patch for less than 30 days will be awarded on a case by case basis
- Presence of autocomplete attribute on web forms
- Use of a known-vulnerable library (without proof of exploitability)
- CSV Injection
- Missing HTTP Security Headers (without proof of exploitability)
- "Self" Cross-Site Scripting (unless if it is part of a chain)
- Missing cookie flags
- Missing best practises in Content Security Policy
The following template can be used when submitting a vulnerability:
[Description of the identified vulnerability]
# Steps to reproduce
1. Step 1
2. Step 2
[What could an attacker achieve by exploiting the vulnerability]
Any report submitted in relation to this Responsible Disclosure Policy will be handled with great care with regards to the privacy of the reporter. We will not share your personal information with third parties without your permission, unless we are legally required to do so.