1. Introduction
BrowserStack aims to improve security through responsible testing and submission of previously unknown vulnerabilities. We appreciate your efforts in making BrowserStack a secure testing platform. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.
2. Scope
2.1 In-scope domains include:
Sr. | Target | Type | Accessibility |
1 | https://www.browserstack.com | Website Testing | BrowserStack main page can be accessed without login. |
2 | https://live.browserstack.com | Website Testing | Users can signup on BrowserStack website and opt for Free Trial |
3 | https://app-live.browserstack.com | Website Testing | |
4 | https://automate.browserstack.com | Website Testing | |
5 | https://app-automate.browserstack.com | Website Testing | |
6 | https://api.browserstack.com | API Testing | |
7 | https://api-cloud.browserstack.com | API Testing | |
8 | Local binary (Windows, macOS, Linux) – Only the latest released version | Executable Binary | Users can use the access key generated after signup(free trial) on BrowserStack Website. |
9 | *.percy.io | Website Testing | You’ll get a freemium account with 5000 snapshots/month when you sign up to Percy. |
10 | Domain (Percy) – 35.202.184.41 | Firewall – Enterprise firewalls | NA |
11 | Domain (Percy) – 35.226.127.204 | NA | |
12 | CIDR (Percy) – 35.202.19.5 | NA | |
13 | CIDR (Percy) – 104.154.145.167 | NA |
2.2 Out of scope domains includes:
- Domain: *.browserstack.com
- Subdomains of https://www.browserstack.com/ that are not explicitly mentioned in-scope are out of scope.
- Percy’s out-of-scope Domains
- blog.percy.io → Our blog is hosted on medium. Please don’t submit reports to us for this.
- docs.percy.io
- go.percy.io
- status.percy.io → This site is managed by statuspage.io. Any bug bounties should be reported directly to Atlassian
- All the real devices/emulators and terminals provided by BrowserStack.
- The terminal here refers to a device/machine(can be virtual too) provided to users for running their tests.
- Third-party applications
- Local Language Bindings
2.3 Out of scope vulnerabilities :
The following issues are considered out of scope:
- Self-XSS and XSS without impact
- Username / Email Enumeration
- Weak password policies
- Weak Captcha / Captcha bypass
- Session Timeout
- Services listening on port 80
- Internal IP address disclosure
- Cookie expiration
- Missing cookie flags
- Distributed Denial of Service attacks and Denial of Service attacks
- Resource Exhaustion attacks
- Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
- Presence of autocomplete or save password.
- Banner grabbing / Version disclosure
- Exploits/Attacks that need MITM or physical access to the victim’s device
- Previously known vulnerable libraries/packages without a working Proof of Concept
- Clickjacking
- Unauthenticated/logout/login CSRF
- Cross-site Request Forgery with no or low impact
- Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
- Generic error messages
- Attacks that only work against yourself (e.g. host header injection)
- Strict transport security (HSTP/HSTS) is not enforced
- 0-Day vulnerabilities reported in last 90 days.
- CVEs reported in last 90 Days.
- SSL/TLS configuration issues, such as:
- Perfect Forward Secrecy not supported, TLSv1.0 / 1.1
- Insecure SSL/TLS ciphers (unless you have a working proof of concept)
- Stack traces, directory listings or path disclosures unless sensitive information like source code can be retrieved.
- Window.opener issues (“Tab-Nabbing” or other rel=”noopener” bugs)
- Theoretical sub-domain takeovers with no supporting evidence
- Missing rate limits
- Brute Force Attacks
- HTTPS mixed content scripts.
- CORS issues without a working PoC
- Out-of-date software, unless you have a working proof of concept.
- HTTP Request smuggling without any proven impact
- Arbitrary file upload without proof of the existence of the uploaded file
- Cross-domain referrer leakage where referrer does not contain sensitive information
- Missing security headers
- Missing CAA headers
- Client-side caching issues
- All device (emulator/simulator) related vulnerabilities.
- HTTP method enabled – OPTIONS, PUT,GET,DELETE,INFO
- SSH Servers and services.
- Bugs that simply cause binary to crash.
- Issues in user management where impact is limited to owner/admins targeting users in their own organisation(issues where lower privileged users can target higher privileged users are in scope).
In addition to the above, Any services not expressly listed above are excluded from the scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@browserstack.com before starting your research.
3. Guidelines for Responsible Disclosure
Please adhere to the following guidelines to be eligible for recognition under this disclosure program:
- Do not intentionally try to access non-public BrowserStack data anymore than is necessary to demonstrate the vulnerability.
- Do not conduct Denial of Service, Distributed Denial of Service, or otherwise disrupt, interrupt or degrade our internal or external services.
- Do not share confidential information obtained from BrowserStack as part of your research with any individual, entity, or public platform.
- Do not engage in social engineering and phishing against BrowserStack staff, members, vendors, or partners.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- To help us triage and prioritize submissions, we recommend that your report describes the location of the vulnerability discovered and the potential impact of exploitation and Includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don’t explain the vulnerability in detail, there may be significant delays in the disclosure process.
- All interactions with BrowserStack employees , and hackerone triagers should be carried out all times respectfully and in professional manner. Spamming report with update comments , using rude or profanity language are some examples of unprofessional communication. Use of hate speech or derogatory comments based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes will not be tolerated and considered as violation of this policy.
- Use only approved communication channels to contact. Reaching out to security team using any other channels will be considered “out-of-band” which violates this policy. Approved communication channel details are clearly mentioned in “Vulnerability Disclosure Process” section.
- Violation of the stated policy can result in enforcement of necessary legal actions.
4. Vulnerability Disclosure Process
- Please submit the vulnerability report to BrowserStack’s Security Team using the program page hosted on HackerOne – https://hackerone.com/browserstack.
- To get your invite on HackerOne, send us an email to security@browserstack.com with a summary of the nature of the issue you want to report.
- You should be the first reporter of the vulnerability. A known vulnerability might exist that has been already identified internally or by someone else. We will make sure to notify you if that is the case.
- Please do not discuss any vulnerabilities (even resolved ones) on any external platform without express consent from BrowserStack.
- Adhere to HackerOne’s disclosure guidelines.
BrowserStack allows you to submit Vulnerabilities anonymously. BrowserStack shall not require submitting personally identifiable information, although we may request that you voluntarily provide contact information.
5. BrowserStack’s Commitment
To the best of our ability, we will confirm the existence of the vulnerability and be transparent about the steps taken during the remediation process, including on issues or challenges that may delay resolution.
5.1 Legal Terms
- In connection with your participation in this program, you agree to comply with BrowserStack’s Terms of Service, BrowserStack’s Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.
- BrowserStack reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).
- BrowserStack does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of BrowserStack’s users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to BrowserStack to extract and publicly disclose data belonging to BrowserStack.
- BrowserStack employees (including former employees that separated from BrowserStack within the prior 12 months), contingent workers, contractors, and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any BrowserStack programs, whether hosted by BrowserStack or any third party.
6. Safe Harbour
- BrowserStack will not initiate a lawsuit or law enforcement investigation against you in response to reporting a vulnerability if you fully comply with this Policy.
- Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action.
- We cannot and do not authorize security research in the name of other entities. If a third party initiates legal action against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy. You are expected, as always, to comply with all applicable laws and regulations.
If you have concerns or are uncertain whether the security research is consistent with this policy, please contact security@browserstack.com before going any further.
7. Rewards
If your work helps us improve the security of our product and/or service, we’d be happy to reward your work accordingly. Rewards will be as per our HackerOne rewards structure.