Introduction

BigID is committed to providing secure software to our customers. The BigID Product Security Incident Response Team (PSIRT) encourages and appreciates responsible reports of vulnerabilities that help us maintain the security of our products and systems. This Vulnerability Disclosure Policy (VDP) is designed to guide security researchers in conducting vulnerability discovery activities and reporting vulnerabilities to BigID.

Scope

The policy applies to these domains:

• *.bigid.com
• *.bigid.cloud
• *.bigidprivacy.cloud

The following types of vulnerabilities are out of scope for this policy:

• Previously known vulnerable libraries without a working Proof of Concept.
• Vulnerabilities only affecting users of outdated or unpatched browsers.
• Attacks that require MITM for exploitation.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Theoretical vulnerabilities that require unlikely user interaction or circumstances (broken link hijacking, tabnabbing, etc.).
• Vulnerabilities that do not demonstrate real-world security impact (clickjacking, CSRF on non-sensitive endpoints, etc.).
• Optional security hardening steps / Missing best practices (SSL/TLS configurations, CSP configuration opinions, etc.).
• Vulnerabilities that may require hazardous testing. This type of testing must never be attempted unless explicitly authorized by BigID in writing (DoS, DDoS, Social engineering attacks, etc.).

Process

BigID accepts in-scope vulnerability reports via [email protected]. Please share all relevant details in your report, including:

• Details on the CIA impact, ideally with an assessment based on the CVSS calculator;
• Detailed steps to reproduce the vulnerability; and
• Affected assets, domains and/or software.

BigID values transparency and cooperation throughout the reporting process. We aim to promptly acknowledge reports and to share pertinent status updates with reporters as frequently as the PSIRT’s availability and security procedures permit.

In return, we ask that you refrain from disclosing the vulnerability to the public or any third party until BigID has had the opportunity to validate and remediate the vulnerability and notify affected users. After this, we ask you to coordinate with BigID on the timing and content of any disclosure. We also ask you to make every effort to avoid privacy violations, degradation of the user experience, disruption to production systems, and destruction or manipulation of data throughout the process.

BigID does not provide payment for vulnerabilities reported under this policy. Compensation is only provided for certain reports submitted via BigID’s private Bug Bounty Program via HackerOne. For more information on asset scope and eligibility for BigID’s Bug Bounty Program, reach out to us at [email protected].

Safe Harbor

BigID has adopted the Gold Standard Safe Harbor to support the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs to or those who use such devices, machines, or online services.

We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Use that conflicts with the standard for Good Faith Security Research outlined here.

This means that for Good Faith Security Research conducted with a good faith effort to comply with our program policy and while this program is active, we:

• Will not bring legal action against you or report you, including for bypassing technological measures we use to protect the applications in scope; and,
• Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

You should contact us via [email protected] for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy.

Keep in mind that we are not able to authorize security research on third-party infrastructure and a third party is not bound by this safe harbor statement.