Responsible Disclosure Policy

Introduction

Bridgit takes the security of our customer data very seriously. If you believe you’ve discovered a potential security vulnerability in one of our products please contact us right away.

We appreciate the assistance and patience of those submitting potential security vulnerabilities and Bridgit is committed to reviewing all reports that are disclosed. We will do our best to address each issue in a timely fashion and request submitters provide a reasonable timeframe to address the issue.

Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from Bridgit.

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability provided all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. Bridgit reserves all of its rights, especially regarding vulnerability discoveries that are not in compliance with this program. If you have any questions after reviewing our Responsible Disclosure Program please contact the Bridgit Security Team by email at security@gobridgit.com.

Bug Bounty & Compensation

Bridgit does not operate or offer a bug bounty program. No financial compensation will be provided in exchange for disclosing real or potential security vulnerabilities. Bridgit is not actively soliciting or encouraging uncontracted/freelance security researcher assistance.

Bridgit may, at our discretion, publicly recognize security researches that submit valid security vulnerabilities in accordance with our Responsible Disclosure Policy in our Security Researcher Acknowledgments page.

Discovering Potential Security Vulnerabilities

Prior to conducting responsible security research on our products and services written consent must be obtained from Bridgit with scope and methods of testing/research defined. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access. Researchers may not use customer account access with or without permission (ex. A Bridgit customer or prospect in a trial period contracts you for testing services and provides their credentials). The following types of research are strictly prohibited:

• Accessing or attempting to access accounts or data that does not belong to you
• Any attempt to modify or destroy any data
• Executing or attempting to execute a Denial of Service (DoS) attack or Distributed Denial of Services (DDos) attack(s)
• Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages
• Conducting social engineering (including phishing) of Bridgit employees, contractors or customers or any other party
• Any physical attempts against our property or data centres, including (but not limited to) post boxes
• Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party
• Taking any action that will negatively affect Bridgit, its partners or agents
• Testing third party websites, applications or services that integrate with our services or products
• The use of automated vulnerability scanners
• Destruction or corruption of data, information or infrastructure, including any attempt to do so
• Use of assets that you do not own or are not authorized or licensed to use when discovering a vulnerability
• Exfiltrating any data under any circumstances
• Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage
• Disclosing any personally identifiable information discovered to any third party
• Any activity that violates any law
• Violation of any laws or agreements in the course of discovering or reporting any vulnerability
• Any exploitation actions, including accessing or attempting to access Bridgit data or information, beyond what is required for the initial “Proof of Vulnerability”

The following finding types are excluded from Bridgit’s Responsible Disclosure Program:

• Reports from automated vulnerability scanners
• Descriptive error messages such as stack traces, application or server errors
• HTTP 404 codes or pages, or other HTTP non-200 codes or pages
• Fingerprinting or banner disclosure on common and public services
• Disclosure of known public files or directories (ex. robots.txt)
• Clickjacking and other issues only exploitable through clickjacking
• CSRF on forms that are available to anonymous users, such as contact, login and logout forms
• CSRF with minimal security implications
• Content spoofing or text injection
• SPF and DKIM issues
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
• Lack of Secure or HTTPOnly flags on non-sensitive cookies
• Login or Forgot Password page brute force and account lockout not enforced
• Enabled HTTP methods (such as OPTIONS, TRACE, DELETE, PUT, WEBDAV, etc.) without a valid attack scenario
• Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc
• Host header or CSV injection without a valid attack scenario
• HTTP or DNS cache poisoning
• Missing best practices in SSL/TLS configuration without a working proof of concept
• SSL Attacks such as BEAST, BREACH, Renegotiation attack
• SSL Forward secrecy not enabled
• SSL Insecure cipher suites
• Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc.)
• Issues related to mobile applications that require the host device to be either rooted or jailbroken
• Issues related to brute forcing, rate limiting and other denial of service type attacks
• Weak password policy implementation
• Use of a known-vulnerable libraries or frameworks (e.g. outdated programming languages) without a valid attack scenario
• Issues that rely on outdated or unpatched browsers and platforms to be abused
• Any services hosted by 3rd party providers and services Bridgit infrastructure (VPN, Identity Management systems, Mail & Messaging systems, etc.)
• Anything that is already public or anything not under Bridgit control (e.g. Google Analytics, etc.)
• Theoretical issues that lack practical severity
• Publicly released bugs in internet software within 15 days of their disclosure
• Version exposure without a proof-of-concept for working exploit

How to Report a Potential Security Vulnerability

You can responsibly disclose potential security vulnerabilities to the Bridgit Security Team by emailing security@gobridgit.com. Ensure you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps or otherwise validate your submission.

When reporting a potential security vulnerability, please include as much information as possible, including:

• An explanation of the potential security vulnerability (including browser/OS versions, URLs, etc)
• A list of products and services that may be affected (where possible)
• Steps to reproduce the vulnerability
• Proof-of-concept code (where applicable)
• The names of any test accounts you have created (where applicable)
• Related CVE record(s) if applicable
• Your contact information
• A suggested patch or remediation action if you are aware of how to fix the vulnerability
• (Optional) Your public PGP key

By submitting your report to Bridgit:

• You agree not to publicly disclose the vulnerability until Bridgit agrees to a public disclosure
• You agree to keep all communication with Bridgit confidential
• You represent the report is original to you and that if you submit a third-party report, you represent that you have the permission to do so
• You allow Bridgit the unconditional ability to use, distribute or disclose information provided in your report

What Happens Next?

Once you have reported a potential security vulnerability, we will contact you within 72 business hours with an initial response. After initial contact we will keep you informed on our progress towards addressing the potential security vulnerability and will notify you when the matter has been addressed.

Subject to any regulatory and legal requirements, all reports will be kept strictly confidential by Bridgit, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it.

By submitting your report you have agreed to maintain confidentiality and to not make your research and/or report public until Bridgit agrees to public disclosure.

Bridgit does not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for compensation (monetary or otherwise) will be deemed in violation of this Responsible Disclosure Program.