Responsible Disclosure Policy

Last updated 9/14/2020

The security and privacy of our clients & information is important to Simply Business. Simply Business takes its responsibility to protect this information seriously and uses technical, administrative, and physical controls to safeguard its data. How can you help Simply Business enhance the security of our digital experience? We want to hear from security researchers (“You” or “Your”) who have information related to suspected security vulnerabilities (“Vulnerability” or “Vulnerabilities”) of any Simply Business services exposed to the internet. Please report Vulnerabilities to us in accordance with these Vulnerability Disclosure Terms (“Terms”).

In Scope Applications:

• simplybusiness.com

Reporting a Vulnerability

Please submit Your Vulnerability to Simply Business by completing the following Form and submitting both the completed Form and Vulnerability to [email protected] (“Report”). Please use our PGP key for secure reporting of the Vulnerability. By submitting Your Report to Simply Business:

• You agree not to publicly disclose the Vulnerability until Simply Business agrees to a public disclosure;
• You agree to keep all communication with Simply Business confidential;
• You represent the report is original to You and that You did not copy the Report or any part of it from another third party; and
• You allow Simply Business and its affiliates the unconditional ability to use, distribute, and/or disclose information provided in Your Report.

Our expectations with Your discovery:

If You are considering submitting a Vulnerability Report, we do not want You to take on or create unnecessary risk in order to discover a Vulnerability.

We ask that You do the following in conducting Your research:

• Only interact with your own accounts or test accounts for security research purposes;
• Contact us immediately if you inadvertently encounter user data. In such instances, do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Simply Business; and
• Comply with all applicable laws.

We expressly prohibit any of the following conduct:

• Spamming forms or scanning applications through automated vulnerability scanners;
• Publicly disclosing a Vulnerability within X days of submitting the Vulnerability to us;
• Accessing or modifying our data or our users’ data, without explicit permission of the owner.
• Commit privacy violations, destroy data, or interrupt or degrade of our services;
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks; and
• Attacks on third party services

The following issues are outside the scope of our vulnerability disclosure program:

• Our policies on presence/absence of SPF/DMARC records.
• Password, email and account policies, such as email id verification, reset link expiration, password complexity.
• Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
• Login/logout CSRF.
• Attacks requiring physical access to a user's device.
• Missing security headers which do not lead directly to a vulnerability.
• Missing best practices (we require evidence of a security vulnerability).
• Self-XSS (we require evidence on how the XSS can be used to attack another Simply Business user).
• Host header injections unless you can show how they can lead to stealing user data.
• Use of a known-vulnerable library (without evidence of exploitability).
• Reports from automated tools or scans.
• Reports of spam (i.e., any report involving ability to send emails without rate limits).
• Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking, clickjacking).
• Vulnerabilities affecting users of outdated browsers or platforms.
• Social engineering of Simply Business employees or contractors.
• Any physical attempts against Simply Business property or data centers.
• Presence of autocomplete attribute on web forms.
• Missing cookie flags on non-sensitive cookies.
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
• Any report that discusses how you can learn whether a given username, email address has a Simply Business account.
• Any access to data where the targeted user needs to be operating a rooted mobile device.
• Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attackers can inject image or rich text (HTML). Pure text injection is out of scope.
• Ability to share links without verifying email.
• Absence of rate limiting, unless related to authentication.
• IP/Port Scanning via Simply Business services unless you are able to hit private IPs or Simply Business servers.
• Devices (ios, android, desktop apps) not getting unlinked on password change.
• Hyperlink injection or any link injection in emails we send.
• Creating multiple account using same email is also out of scope.
• Phishing risk via unicode/punycode or RTLO issues.
• Editable Github wikis.
• Denial of Service

If You submit a Vulnerability in accordance with these Terms, Simply Business will work with You to understand, validate, and address the Vulnerability appropriately per the assessed risk. Thank you in advance for Your contribution.