No technology is perfect, and Heap believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you have discovered a vulnerability within Heap or any other serious security and privacy issues, send your detailed report to security@heap.io where we will validate the issue.
Currently, we do not have an active bug bounty program. However, if your report is valid, we will ensure that you are included in our list of hunters once we launch the program in the future. The scope of our future bug bounty program will be limited to certain vulnerabilities and scope.
Reporting Security Issues to Heap
Before sending your report by email, we kindly ask you to consult our list of out-of-scope vulnerabilities.
This will ensure that you only submit reports concerning in-scope vulnerabilities.
Our team will review it and get back to you as soon as possible. We are committed to working with the security research community to ensure the security of our systems.
Vulnerability Disclosure Policy
Maintaining the security, privacy, and integrity of our products is a priority at Heap. We appreciates the work of researchers in order to improve our security and/or privacy posture and we are committed to creating a safe and transparent environment to report vulnerabilities.
If you believe you’ve found a security bug in our service, we would be happy to work with you to resolve the issue promptly.
Please adhere to the following steps:
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue (please reach us at security@heap.io )
- Provide us with a reasonable amount of time to understand, analyze, and resolve the issue
- No vulnerability disclosure to any third-parties, including partial is allowed without formal acknowledgement of heap staff
- You must be the first reporter of a vulnerability and the vulnerability must be a qualifying vulnerability
- You must not be a former or current employee of Heap or one of its contractor
- You must send a clear textual description of the report along with steps to reproduce the issue (include attachments such as screenshots or proof of concept code as necessary)
- If you find the same vulnerability several times, please create only one report.
Scope
The scope of the Heap :
*.heapanalytics.com
Out of scopes:
- All domains and sub-domains not listed in the scope section.
*.heap.io
Qualifying vulnerabilities
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Cross-Site Scripting (XSS)
- Cross-site Request Forgery (CSRF) with real security impact
- Cross-Origin Resource Sharing (CORS) with real security impact
- Insecure Direct Object Reference (IDOR)
- Horizontal and vertical privilege escalation
- Broken authentication & session management
- Business Logic Errors vulnerability with real security impact
- Exposure of sensitive secrets
- SSRF with real security impact
- Open redirect with real security impact
- Exposed secrets, credentials, or sensitive information on an asset under – our control and affecting at least one of our scopes
- Subdomain-takeover