Vulnerability Disclosure Policy
Brand Promise
Snowplow looks forward to working with the security community to find vulnerabilities in order to keep our business, customers, and open source community safe.
Scope
This policy applies to any digital assets owned by Snowplow, including public-facing websites, our open source estate, and any data pipelines we operate. We ask that digital assets we operate, but do not own, are excluded from testing.
For assets operated by, but not owned by, Snowplow, please focus on our own estate — not customer deployments or partner technologies. Starting your journey at https://snowplowanalytics.com should keep you in the right zone.
For assets operated by, but not owned by, Snowplow, please focus on our own estate — not customer deployments or partner technologies. Starting your journey at https://snowplowanalytics.com should keep you in the right zone.
Out of Scope
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- CSRF on unauthenticated or non-sensitive forms
- Attacks requiring MITM or physical access to a user’s device
- Previously known vulnerable libraries without a working proof of concept
- CSV injection without demonstrating a vulnerability
- Missing SSL/TLS best practices
- Any activity that could lead to service disruption (DoS)
- Content spoofing or text injection without HTML/CSS modification
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing Content Security Policy best practices
- Missing HttpOnly or Secure cookie flags
- Email best practice issues (SPF, DKIM, DMARC)
- Outdated or unpatched browser-only issues
- Software version disclosure or verbose errors
- Tabnabbing
- Open redirects without demonstrated impact
- Issues requiring unrealistic user interaction
Disclosure Policies
Please do not discuss this program or any vulnerabilities outside of the program without express consent from Snowplow.
Follow BugCrowd’s disclosure guidelines at all times.
Follow BugCrowd’s disclosure guidelines at all times.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized. Snowplow will not initiate legal action against individuals who comply with these guidelines.
If a third party initiates legal action against you in connection with approved research, we will take steps to confirm your compliance with this policy.
If a third party initiates legal action against you in connection with approved research, we will take steps to confirm your compliance with this policy.