Security Research
Find out more about how to work together with us as security researcher.
Qualifying Vulnerabilities
The following types of vulnerabilities are in scope of our security research program:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Remote Code Execution (RCE)
- Unauthenticated Access to Private Accounts
Non-Qualifying Vulnerabilities
The following types of vulnerabilities are not in scope of our research program:
- Issues found through automated testing
- Denial of Service attacks
- Login/logout CSRF
- Missing security headers which do not lead directly to a vulnerability
- Password, email and account policies, such as email id verification, reset link expiration, password complexity
- XSS on any site other than *.blossom.io or *.blossom.co.
- Reports of spam (i.e., any report involving ability to send emails without rate limits)
- Vulnerabilities affecting users of outdated browsers or platforms
Rules
We expect that our customers are not exposed to risk.
- Don’t attempt to gain access to another user’s account or data.
- Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
- Don’t publicly disclose a bug before it has been fixed.
- When in doubt, contact us.
Reporting Security Vulnerabilities
Please use this widget to get in contact with us.
It provides a secure channel to get in touch with us.
Our security team will respond as soon as possible.
Acknowledgement
If you've successfully helped us identify and fix an in-scope security vulnerability in
compliance with the rules of our program (see above) we will add you
to the list of security researchers we collaborated with (see below).
We're also more than happy to issue a formal recommendation on LinkedIn.
Security Researchers
Special thanks to everyone who worked together with us so far.