Funnel Science Bug Bounty and Creative Suggestions

The security of our users’ data and the integrity of our system is our highest priority. We design, build and test our software and infrastructure with this goal. The tech space changes rapidly and we recognize that vulnerabilities present themselves and we want to stop that as soon as possible. We have a bug bounty program to help put our security to the test while also hoping to build meaningful connections with the best of the best. We offer payments electronically or can contribute to a charity in your name or a scholarship. 

Please follow a few guidelines:

• Please be a good citizen: Do not disturb the service. Follow the ToS. Avoid automated testing.
• If you gain access to our system, report it immediately.
• Only test with your data. Do not interact with other accounts.
• Do not publish any information regarding the vulnerability until we fix it.
• We only award one bounty per vulnerability. If we receive multiple reports, the first one will receive the reward. However if your report is of the same issue but presents alternative solutions, we will consider your report as a new idea.
• If you want to email us send to privacy@funnelscience.com or text us at 214-625-9023
• Please do not submit contact forms, create support tickets, send emails to customer service, etc. that will generate work for a human outside of the security team.
  

Bug Bounty Program: What We’re Looking For

We’re looking for any security exploit. But we’ll be extra generous with:

• Tampering data of other users. For example, this could be extracting or modifying someone’s leads. Please note only proving an account exists isn’t enough.
• Bypassing our API’s security: If you’re able to go a lot beyond your quota of requests per month or avoid authentication altogether.
• Cross-site scripting (XSS)
• Server-side code execution
• Getting Data from a Team Member
• Getting Data from the WWW

Please keep in mind this bounty program doesn’t concern regular bugs in our application, but only security flaws allowing intruders to gain access to data of other users. If you wish to report a regular bug please contact us at supportfunnelscience.com

Code of Conduct

• We expect all security researchers to follow the Bugcrowd Code of Conduct.
• Denial of service, spam, or phishing attacks are considered abusive and out of scope.
• Do not exfiltrate Funnel Science data, customers or employee data under any circumstance. Please contact us immediately if you think this is possible, or you have done so inadvertently. We will work with you to assess the full impact of the vulnerability and award appropriately.

Bug Bounty Program: Examples of Non-Qualifying Exploits

• DOS
• Mixed-content scripts
• Social engineering
• Issues related to SPF
• Brute force attacks
• Failures to adhere to “best practices” (for example, common HTTP headers, link expiration, email-validation or password policy)
• Data published via the company through approved publishers.
• Click jacking or any action taken on a 3rd party website which we do not directly control.
• Any recommendation without a proof of concept or detailed example

Example case of Non-Qualifying Report

These are theoretical vulnerabilities we’re aware of, but we decided they didn’t present any risk in our case:

• Non-expiring session cookie: Funnel Science is protected through the use of HTTPS and our inclusion in the HSTS preload list of major browsers.

Program Rewards

Our reward system is flexible and doesn’t have any set upper or lower limit payment limits. This means severe bugs will be rewarded accordingly. In addition we pay for creative solutions that improves or enhances the system for all users. The amount will exclusively depend on the creativity or severity of the issue which you report and how much detail is provided. If we make any updates to our system or practices based on your report, we will pay you a Research Reward. 

Rewards will be sent using e-Check, Paypal or Crypto once the vulnerability has been fixed. 

Safe Harbor

Funnel Science supports and encourages security research and we are open to have a conversation at anytime.

To promote this research, we agree that, if a researcher complies with the terms of Funnel Science Bug Bounty Program:

• Funnel Science considers access to its systems necessary to your security research to be “authorized” access under the Computer Fraud and Abuse Act.
• Funnel Science agrees not to pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
• Funnel Science will waive any DMCA claim against you for circumventing technological measures we have used to protect Segment’s applications and services in scope of the policy.
• Funnel Science waives any restrictions in our applicable Terms of Service that would prohibit authorized security research in compliance with Funnel Science Bug Bounty Program, for the limited purpose of your security research under this policy.

   

Funnel Science connects with many third-party systems and services. Our authorization to you extends only to Funnel Science systems and services. Funnel Science , however, cannot authorize research on or access to third-party products that connect with its systems or guarantee they won’t pursue legal action against you. This policy does not authorize access to or waive any claims regarding any systems other than Funnel Science own. If a third party initiates a legal action despite your compliance with this bug bounty policy, upon your request, Funnel Science will provide the third party with this policy and a statement that your actions were conducted in compliance with this policy.

We have provided a contact form below for your submissions. This come directly to me and our leadership team. We will respond quickly, be transparent with our review of your submissions, and we will be fair to provide research rewards quickly. Top researchers will be added to our Hall of Fame. 

Thank you,

Dane Kuiper -PhD
CTO