Security Exploit Bounty Program

Responsible Disclosure

Security of user data and communication is of utmost importance to Make. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Make. Principles of responsible disclosure include, but are not limited to:

  • Accessing or exposing only customer data that is your own.

  • Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site).

  • Keeping within the guidelines of our Terms Of Service.

  • Keeping vulnerabilities secret until Make has been notified and had a reasonable amount of time to fix the vulnerability.

  • You are strictly forbidden from sharing any information regarding vulnerabilities you might have uncovered whilst working under the guide of the bug bounty program

In order to be eligible for a bounty, your submission must be accepted as valid by Make. We use the following guidelines to determine the validity of requests and the reward compensation offered.

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

 

Severity

We are interested in security vulnerabilities that can be exploited to gain access to user data. We will only qualify and reward a vulnerability if and only if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General "bugs" are never qualifying vulnerabilities, and anything that is not an exploit is a general "bug". The exploit must rely only on vulnerabilities of Make's systems. Issues may receive a lower severity due to the presence of compensating controls and context.

 

Scope

Everything in the make.com domain space with the exception of the Out of scope list.

 

Out of scope

  • DMARC policy

  • Automated scanning tools (sslabs.com, Nessus, Qualys, …)

  • Denial of Service vulnerabilities (DOS/DDOS)

  • Social Engineering, Phishing

  • Mixed-content scripts

  • Missing Cookie Flags

  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible

  • User Enumeration

  • Password Complexity

  • Vulnerabilities on Third-Party Products

  • Security Practices where other mitigating controls exist.

  • CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.

  • Subdomain Takeover

  • Clickjacking

  • Self XSS

  • Email Spoofing - SPF Records Misconfiguration

  • Content Spoofing

  • Stack Traces, Path Disclosure, Directory Listings

  • SSL/TLS controls where other mitigating controls exist

  • Banner Grabbing

  • Reflected File Download

  • Reports on Out of dated browsers

  • Host header Injection without a demonstrable impact

  • HTTP Trace Method

Rewards

  • Only 1 bounty will be awarded per vulnerability.

  • If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.

  • We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.

To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria, Russia). This is a discretionary program and Make reserves the right to cancel the program. The decision whether or not to pay a reward is at our discretion. 

Contact

Please email us at [email protected] with any vulnerability reports or questions about the program.