Security banner

The Bug Bounty program is on hold from 16th of May 2019. All received reports on or before this date will be reviewed and investigated but no new reports will be accepted. We aim to reopen the programme in the future.

We take data security seriously. Over 10,000 customers worldwide rely on OnePageCRM to keep their data safe and secure.

We’ve created a Bounty Program to reward those who report vulnerabilities in order to help us keep our security at the highest of standards. Such programs work by providing a monetary reward or “bounty,” to security researchers who responsibly disclose security issues on our app.



Responsible Disclosure

Security of user data is of utmost importance to OnePageCRM. The OnePageCRM development team consists of trusted and experienced developers that continuously evaluate our coding practices to recognize and shore up vulnerabilities.

To ensure security is at the highest of standards, we welcome responsible disclosure of any vulnerability you find.

Principles of responsible disclosure include, but are not limited to:

  • Access and expose customer data that is your own
  • Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site)
  • Keep within the guidelines of our Terms Of Service
  • Keep details of vulnerabilities secret until OnePageCRM has been notified and had a reasonable amount of time to fix the vulnerability
  • In order to be eligible for a bounty, your submission must be accepted as valid by OnePageCRM


  • Reporting Security Bugs

    • If you suspect you've discovered a security bug or vulnerability in OnePageCRM, we encourage you to report it to us straight away
    • We are most interested in vulnerabilities with app.onepagecrm.com and secure.onepagecrm.com
    • Provide as many details as possible in your report
    • We must be able to reproduce the security bug from your report
    • This program does not allow for public disclosure of the vulnerability without expressed permission. If you wish to disclose the report, we require that you ask us first
    • To participate the program you must comply with the Bug Bounty Policy


    Examples of Qualifying Vulnerabilities

    • Authentication or authorization flaws
    • Cross-site scripting (XSS)
    • Cross-site request forgery (CSRF/XSRF)
    • Mixed-content scripts
    • Server-side code execution bugs
    • Circumvention of our Platform/Privacy permissions model
    • Clickjacking


    Examples of Non -Qualifying Vulnerabilities

    • Denial of Service vulnerabilities (DOS)
    • Do-it-yourself XSS
    • Possibilities to send malicious links to people you know
    • Security bugs in third-party websites that integrate with OnePageCRM
    • Mixed-content scripts on onepagecrm.com
    • Insecure cookies on onepagecrm.com
    • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
    • Username enumeration
    • Previously reported bugs
    • Brute force password cracking
    • Logout cross-site request forgery


    Rewards

    We offer rewards for qualifying vulnerabilities based on severity and completeness of the submission, as determined by OnePageCRM’s security team. Awards are granted entirely at the discretion of OnePageCRM.

    • Only 1 bounty will be awarded per vulnerability.
    • If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
    • Our rewards range from $50 for minor issues and scale up to $100 for medium, $250 for major and $500 for critical issues. The bounty awarded to you is not negotiable and can be only paid upon providing us with an invoice via Paypal.


    Contact

    If you have any security concerns, questions and comments please get in touch at support@onepagecrm.com.