[{"id":3751953,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# \\*\\* Register all test accounts using your `\u003cusername\u003e+x@wearehackerone.com` address. **\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Common Reports and Out of Scope Vulnerabilities\n\n**BugSnag API Key in Frontend Source Code**: This API key is intentionally available publicly. The BugSnag API key is write-only and can only be used report bugs; this key must be exposed in the source code in order for the client JS library to detect and report client-side errors. More information is available here: https://github.com/bugsnag/bugsnag-js/issues/595\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Issues related to team trial billing\n  * Note: findings related to sustained free access to the team plan after 70 days ARE valid\n* Issues related to exceeding the free seat limit on the Developer plan\n* Issues related to multiple activations of the GitHub Student Developer Pack discount\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Issues where the system is working as intended but documentation is incorrect (we may award a small bounty for these at our discretion)\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-18T16:04:02.405Z"},{"id":3751952,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# \\*\\* Register all test accounts using your `\u003cusername\u003e+x@wearehackerone.com` address. **\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Out of scope vulnerabilities\n\n*BugSnag API Key in Frontend Source Code*: This API key is intentionally available publicly. The BugSnag API key is write-only and can only be used report bugs; this key must be exposed in the source code in order for the client JS library to detect and report client-side errors. More information is available here: https://github.com/bugsnag/bugsnag-js/issues/595\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Issues related to team trial billing\n  * Note: findings related to sustained free access to the team plan after 70 days ARE valid\n* Issues related to exceeding the free seat limit on the Developer plan\n* Issues related to multiple activations of the GitHub Student Developer Pack discount\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Issues where the system is working as intended but documentation is incorrect (we may award a small bounty for these at our discretion)\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-18T16:03:21.965Z"},{"id":3748253,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# \\*\\* Register all test accounts using your `\u003cusername\u003e+x@wearehackerone.com` address. **\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Issues related to team trial billing\n  * Note: findings related to sustained free access to the team plan after 70 days ARE valid\n* Issues related to exceeding the free seat limit on the Developer plan\n* Issues related to multiple activations of the GitHub Student Developer Pack discount\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Issues where the system is working as intended but documentation is incorrect (we may award a small bounty for these at our discretion)\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-16T18:37:47.011Z"},{"id":3725289,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# \\*\\* Register all test accounts using your `\u003cusername\u003e+x@wearehackerone.com` address. **\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Issues related to team trial billing\n  * Note: findings related to sustained free access to the team plan after 70 days ARE valid\n* Issues related to exceeding the 3 free seat limit on the developer plan\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Issues where the system is working as intended but documentation is incorrect (we may award a small bounty for these at our discretion)\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-08T18:53:13.213Z"},{"id":3725288,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# \\*\\* Register all test accounts using your `\u003cusername\u003e+x@wearehackerone.com` address. **\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Issues related to team trial billing\n  * Note: findings related to sustained free access to the team plan after 70 days ARE valid\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Issues where the system is working as intended but documentation is incorrect (we may award a small bounty for these at our discretion)\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-08T18:50:01.684Z"},{"id":3713648,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# \\*\\* Register all test accounts using your `\u003cusername\u003e+x@wearehackerone.com` address. **\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Issues where the system is working as intended but documentation is incorrect (we may award a small bounty for these at our discretion)\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-05T18:30:30.965Z"},{"id":3681265,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# \\*\\* Register all test accounts using your `\u003cusername\u003e+x@wearehackerone.com` address. **\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-15T22:21:02.351Z"},{"id":3681203,"new_policy":"Doppler believes that working with skilled security researchers across the globe is crucial in identifying potential security vulnerabilities. If you believe you have found a security issue in our product or service, please notify us. We will make every effort to promptly resolve the issue.\n\n# Response Targets\nDoppler will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy \n* Submit a detailed report with steps to reproduce, screenshots, and anything else that will help validate your finding\n* We will inform you of remediation and may ask you to help confirm the fix\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Vulnerability Scoring\nWe will use CVSS 3.1 to guide our initial scoring, however Doppler reserves the right to adjust the score based on other qualitative factors. For example, a vulnerability leaking customer secrets would typically be ranked more highly than one leaking customer contact information.\n\n# Program Rules\n* Register all accounts using your `\u003cusername\u003e+x@wearehackerone.com` address.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Please keep account creation for this program to no more than 3 accounts.\n\n# Out of scope vulnerabilities\n\n### The following issues are considered out of scope:\n* MFA bypass when using Google Auth/SAML (intended behavior)\n* Referral credit accumulation using enumerated/deleted accounts (accepted risk)\n  * Note: findings that allow you to accumulate more than $500 in referral credit ARE valid\n* Attacks that allow you to exceed resource limits by switching between plans\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n\n### Exclusions \nWhile researching, please refrain from: \n* Denial of service \n* Brute forcing\n* Spamming \n* Social engineering (including phishing) of Doppler staff, contractors, or customers\n* Any physical attempts against Doppler property or data centers \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Doppler and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-15T04:47:46.405Z"}]