Rules

• We will only pay out for disclosures in scope

• Duplicates will not be accepted, you must be the first person to report the vulnerability

• We cannot pay out to sanctioned regions

• Do not access or test our production instance

Scope

• Only https://staging-2.canvasapp.com/ is in scope. Do not test or attack our production environment.

• Issues that significantly affect confidentiality or integrity of user data

Out of scope

• Production canvasapp.com

• Marketing content, docs, blog content

• Output from automated scanners

• No load testing (DoS, DDoS)

• Self-XSS

• Social engineering

• Issues that only affect unsupported browsers (e.g. IE6)

• Missing or incorrect SPF, DMARC, DKIM records

• DNSSEC

• Cookie duration

• Widely-known vulnerabilities in libraries, including public zero-days

• Exploits that require user action (e.g. in browser dev tools)

• Missing HTTP headers

• Clickjacking

• Information disclosure of non-user data

• CSRF on anonymous forms

• CSRF attacks that require knowledge of the CSRF token

• Public key disclosure

• Issues with third-party services

• UI/UX issues that do not impact security

• Attacks that require MITM

• SSL/TLS best practices

• Any other trivial bugs

Payouts

• P1: $200

• P2: $100

• P3: $50

• P4: $25

Disclosure

1. Email security@canvasapp.com with the details, steps to reproduce and proof of concept

2. If your disclosure is accepted, you will receive further instructions.

3. If accepted, you will need to provide Form W-9/W-8BEN before your payout can be processed.