Saasu values and appreciates the contributions from the cybersecurity community in improving and maintaining our systems to meet cybersecurity standards.
Reports submitted to Saasu for https://secure.saasu.com are in scope and will be accepted for evaluation.
Saasu retains the right to determine whether to accept a report submitted as a vulnerability disclosure.
Saasu will reject vulnerabilities with minimal security impact or low exploit-ability, vulnerabilities beyond Saasu’s control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the program requirements.
Out of scope vulnerabilities include:
- Vulnerabilities demonstrated where the attacker has direct access to the victim’s device for demonstration purposes eg: direct access to cookies
- Click-jacking on pages with no sensitive actions;
- CSRF without a demonstrated vulnerability;
- Password and account recovery policies, such as reset link expiration or password complexity;
- Presence of autocomplete attribute on web forms;
- Username/user id enumeration;
- Vulnerabilities only affecting outdated or unpatched browsers;
- SSL/TLS configurations without a demonstrated vulnerability;
- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure;
- Missing HTTP-only or secure cookie flags unrelated to a vulnerability;
- Missing security headers unrelated to a vulnerability;
- Attacks against network and security infrastructure; and
- Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC).
Saasu would not pursue legal action against participants who:
- Submit in-scope reports and engage in testing/research of systems without harming Saasu, its customers, employees, or third parties;
- Do not compromise the privacy of Saasu’s customers, employees, or other individuals (e.g. by accessing personal information);
- Do not conduct social engineering, spam, or phishing attacks;
- Do not test the physical security of any property of Saasu or third parties;
- Do not conduct denial-of-service or resource-exhaustion attacks;
- Do not test properties or systems outside the United States;
- Comply with applicable criminal laws;
- Adhere to other applicable laws;
You agree that Saasu may disclose the information in a report you submit through this website. Saasu will consider any request from a researcher to make a disclosure but reserves the right to deny such requests.
How to Submit a Report
To submit a report to Saasu, please email the report to firstname.lastname@example.org
Expectations for Researchers:
- Well-written reports in English will have a higher chance of faster response and resolution;
- Reports that include proof-of-concept code enable Saasu to better understand and triage the submitted information;
- Reports that include only output from programs may receive lower priority;
- Participating in this program does not give you any right to intellectual property owned by Saasu or a third party;
- Please include how you found the vulnerability; if possible include any potential remediation(s); and
- Please do not include any personal information.