Overview

Scope

•  Domains: *.snowplow.io, *snowplowanalytics.com, *iglucentral.com
  
•  Software: github.com/snowplow*
  

• Clickjacking on pages with no sensitive actions
  
• CSRF on unauthenticated or non-sensitive forms
  
• Attacks requiring MITM or physical access to a user’s device
  
• Previously known vulnerable libraries without a working proof of concept
  
• CSV injection without demonstrating a vulnerability
  
• Missing SSL/TLS best practices
  
• Any activity that could lead to service disruption (DoS)
  
• Content spoofing or text injection without HTML/CSS modification
  
• Rate limiting or brute-force issues on non-authentication endpoints
  
• Missing Content Security Policy best practices
  
• Missing HttpOnly or Secure cookie flags
  
• Email best practice issues (SPF, DKIM, DMARC)
  
• Outdated or unpatched browser-only issues
  
• Software version disclosure or verbose errors
  
• Tabnabbing
  
• Open redirects without demonstrated impact
  
• Issues requiring unrealistic user interaction
  

Authorization

Our Commitment to the Security Community

• Trust. We maintain trust and confidentiality in our professional exchanges with security researchers.
  
• Respect. We treat all researchers with respect and recognize your contribution to keeping our customers safe and secure
  
• Transparency. We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy.
  
• Common good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability
  

What We Ask of the Security Community

• Trust. We request that you communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for our team to validate and address potential issues.
  
• Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  
• Common Good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Snowplow will deem the submission as non-compliant with this Vulnerability Disclosure Program.
  

In addition

• The reported vulnerability must be original; the first person to submit a valid report shall be credited.
  
• You must not be the author of the vulnerable code.
  
• You must not attempt brute-force attacks, denial of service attacks, or user credential harvesting.
  
• You must not utilize social engineering of Snowplow employees and contractors to leverage exploitation of any kind.
  
• In the event of disclosure of personal data of another person, you are directed to cease the affecting activity, document steps to replicate, and submit the report as soon as possible.
  
• If you have discovered a vulnerability, do not disclose details of your findings publicly or to a third party.
  
• Information you receive or collect about Snowplow through the Vulnerability Disclosure Program (VDP) may be deemed proprietary and confidential.