We welcome reports from security researchers and experts about possible security vulnerabilities with our service. We're particularly interested in hearing about vulnerabilities that impact the confidentiality or integrity of user information or systems, and have the potential to impact a large number of people.
The only target in scope is
app.geckoboard.com, and any HTTP requests made from that subdomain (i.e. to
management.geckoboard.com). All other Geckoboard domains such as
support.geckoboard.com, etc. are out of scope.
Responsible disclosure policies
Geckoboard aims to keep its service safe for everyone, and data security is of utmost priority. If you're a security researcher and have discovered a security vulnerability in the service, we appreciate your help in disclosing it to us in a responsible manner. In return we promise to investigate reports promptly.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively affect Geckoboard or its users (e.g. Spam, Brute Force, Denial of Service, etc).
- Accessing, or attempting to access, data or information that does not belong to you. If you want to test cross-account access please sign up for additional trial accounts.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Performing automated vulnerability scans.
- Attempting non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Other important responsible disclosure policies to make note of:
- The target URL is the same used by our customers. Please keep this in mind and act accordingly.
- No attacks against Geckoboard's existing user base.
- No phishing.
- No DDoS attacks.
- This is Geckoboard's primary production environment. We accept valid PoCs of app-level Denial of Service vulnerabilities, but PoCs that intentionally stress or risks the availability of our services will be considered an abuse.
- Do not create more than 2 accounts as part of your testing. Failure to comply may result in your account access being blocked.
When in doubt, contact us.
Reward range and classification
Geckoboard may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.
High and Medium vulnerabilities are the only ones entitled to a monetary reward (of up to US$500).
Our reward for vulnerabilities deemed low is a t-shirt (please note we are currently unable to ship to India, Pakistan, Sri Lanka, Nepal, Bangladesh, the Philippines, and the United Arab Emirates).
Duplicate and Declined submissions as well as any P5 (according to Bugcrowd's Taxonomy) submissions do not receive any rewards for this program.
The following table outlines the categories that will result from our evaluation:
False positives and/or very minor criticality that won't necessarily result in a change of code.
Same report has been made before or we are aware of the issue from any other source.
Vulnerabilities like insecure cookies, clickjacking or insufficient password complexity are generally of low criticality as they are dependant of other issues and cannot be exploited by themselves.
Cross-site request forgery (XSRF or CSRF) vulnerabilities or those that might result in the changing of users data.
Vulnerabilities of high criticality are those that would result in bypassing authentication. An example of a high critical vulnerability is a successful SQL-injection that could be used to read data, delete users, or other kinds of database modifications.
If you believe you've found a security vulnerability on Geckoboard, we encourage you to let us know straight away. We will investigate all legitimate reports, evaluate them, and – if applicable – do our best to quickly fix the problem.
Before reporting though, please review this article, including our responsible disclosure policies. Geckoboard pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.
If you're looking to report another type of issue, please get in touch.
How to report security vulnerabilities
Please do not publicly disclose these details without the express written consent from Geckoboard.
Your input and feedback on our security is always appreciated. As much as we want to respond to all reports, it’s not feasible for us to do so. We typically only respond to vulnerability reports that get classified as High or Medium or will receive a reward.
Reports which get classified as Low, Duplicate, Declined, or any P5 (according to Bugcrowd's Taxonomy) submissions will usually not receive a response but will be added to our internal issue tracker.
When reporting any suspected vulnerabilities, please use this Geckoboard security vulnerability reporting form.