Vulnerability Disclosure Program

1 Introduction

BrowserStack aims to improve security through responsible testing and submission of previously unknown vulnerabilities. We appreciate your efforts in making BrowserStack a secure testing platform. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.

2 Scope

2.1 In-scope domains include:
1TargetTypeAccessibility
2https://www.browserstack.comWebsite TestingBrowserStack main page can be accessed without login.
3https://live.browserstack.comWebsite TestingUsers can signup on BrowserStack website and opt for Free Trial
4https://app-live.browserstack.comWebsite Testing
5https://automate.browserstack.comWebsite Testing
6https://app-automate.browserstack.comWebsite Testing
7https://api.browserstack.comAPI Testing
8https://api-cloud.browserstack.comAPI Testing
9Local binary (Windows, macOS, Linux) – Only the latest released versionExecutable BinaryUsers can use the access key generated after signup(free trial) on BrowserStack Website.
10*.percy.ioWebsite TestingYou’ll get a freemium account with 5000 snapshots/month when you sign up to Percy.
11Domain (Percy) – 35.202.184.41Firewall – Enterprise firewallsNA
12Domain (Percy) – 35.226.127.204NA
13CIDR (Percy) – 35.202.19.5NA
14CIDR (Percy) – 104.154.145.167NA

 

2.2 Out of scope domains includes:
  1. Domain: *.browserstack.com
    1. Subdomains of https://www.browserstack.com/ that are not explicitly mentioned in-scope are out of scope.
  2. Percy’s out-of-scope Domains
    1. blog.percy.io → Our blog is hosted on medium. Please don’t submit reports to us for this.
    2. docs.percy.io
    3. go.percy.io
    4. status.percy.io → This site is managed by statuspage.io. Any bug bounties should be reported directly to Atlassian
  3. All the real devices/emulators and terminals provided by BrowserStack.
    1. The terminal here refers to a device/machine(can be virtual too) provided to users for running their tests.
  4. Third-party applications
  5. Local Language Bindings

In addition to the above, Any services not expressly listed above are excluded from the scope and are not authorised for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@browserstack.com before starting your research.

3 Guidelines

Please adhere to the following guidelines to be eligible for recognition under this disclosure program:

  • Do not intentionally try to access non-public BrowserStack data anymore than is necessary to demonstrate the vulnerability.
  • Do not conduct Denial of Service, Distributed Denial of Service, or otherwise disrupt, interrupt or degrade our internal or external services.
  • Do not share confidential information obtained from BrowserStack as part of your research with any individual, entity, or public platform.
  • Do not engage in social engineering and phishing against BrowserStack staff, members, vendors, or partners.
  • To help us triage and prioritise submissions, we recommend that your report describes the location of the vulnerability discovered and the potential impact of exploitation and Includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don’t explain the vulnerability in detail, there may be significant delays in the disclosure process.

4 Vulnerability Disclosure Process

  • Please submit the vulnerability report to BrowserStack’s Security Team using the program page hosted on HackerOne – https://hackerone.com/browserstack.
  • To get your invite on HackerOne, send us an email to security@browserstack.com with a summary of the nature of the issue you want to report.
  • You should be the first reporter of the vulnerability. A known vulnerability might exist that has been already identified internally or by someone else. We will make sure to notify you if that is the case.
  • Please do not discuss any vulnerabilities (even resolved ones) on any external platform without express consent from BrowserStack.
  • Adhere to HackerOne’s disclosure guidelines.

BrowserStack allows you to submit Vulnerabilities anonymously. BrowserStack shall not require submitting personally identifiable information, although we may request that you voluntarily provide contact information.

5 BrowserStack’s Commitment

To the best of our ability, we will confirm the existence of the vulnerability and be transparent about the steps taken during the remediation process, including on issues or challenges that may delay resolution.

5.1 Legal Terms
  • In connection with your participation in this program, you agree to comply with BrowserStack’s Terms of Service, BrowserStack’s Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.
  • BrowserStack reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).
  • BrowserStack does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of BrowserStack’s users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to BrowserStack to extract and publicly disclose data belonging to BrowserStack.
  • BrowserStack employees (including former employees that separated from BrowserStack within the prior 12 months), contingent workers, contractors, and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any BrowserStack programs, whether hosted by BrowserStack or any third party.

6 Safe Harbour

  • BrowserStack will not initiate a lawsuit or law enforcement investigation against you in response to reporting a vulnerability if you fully comply with this Policy.
  • Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action.
  • We cannot and do not authorise security research in the name of other entities. If a third party initiates legal action against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy. You are expected, as always, to comply with all applicable laws and regulations.

If you have concerns or are uncertain whether the security research is consistent with this policy, please contact security@browserstack.com before going any further.

7 Rewards

If your work helps us improve the security of our product and/or service, we’d be happy to reward your work accordingly. Rewards will be as per our HackerOne rewards structure.