[{"id":3713388,"new_policy":"# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [https://www.nginx.bug-bounty.smartsheet-www.smartwebdev.systems/](https://www.nginx.bug-bounty.smartsheet-www.smartwebdev.systems/) \n* No login required / supported; replica of www.smartsheet.com which should NOT be used in Bug Bounty\n\n##### [developers.smartsheet.com](https://developers.smartsheet.com)\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n#####iOS Application and Android Application\n* Download from app store and use your Smartsheet login\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.\n* No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* No spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you.\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n* Only test using an X-Bug-Bounty:\u003cyour_h1_username\u003e http header so we can identify your requests easily.\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n* Sub-domain Take-Over\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-28T20:51:26.021Z"},{"id":3713387,"new_policy":"# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [https://www.nginx.bug-bounty.smartsheet-www.smartwebdev.systems/](https://www.nginx.bug-bounty.smartsheet-www.smartwebdev.systems/) \n* No login required / supported\n\n##### [developers.smartsheet.com](https://developers.smartsheet.com)\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n#####iOS Application and Android Application\n* Download from app store and use your Smartsheet login\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.\n* No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* No spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you.\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n* Only test using an X-Bug-Bounty:\u003cyour_h1_username\u003e http header so we can identify your requests easily.\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n* Sub-domain Take-Over\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-28T20:42:06.390Z"},{"id":3713384,"new_policy":"# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [https://www.nginx.bug-bounty.smartsheet-www.smartwebdev.systems/](https://www.nginx.bug-bounty.smartsheet-www.smartwebdev.systems/) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.\n* No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* No spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you.\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n* Only test using an X-Bug-Bounty:\u003cyour_h1_username\u003e http header so we can identify your requests easily.\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n* Sub-domain Take-Over\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-28T20:34:45.659Z"},{"id":3681609,"new_policy":"# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.\n* No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* No spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you.\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n* Only test using an X-Bug-Bounty:\u003cyour_h1_username\u003e http header so we can identify your requests easily.\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n* Sub-domain Take-Over\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-03T16:58:18.609Z"},{"id":3672591,"new_policy":"# Program Update\n2022-06-09\nWe appreciate your patience while we aggressively work to clear out a backlog of bug bounty reports and begin paying bounties again as of mid-July starting with higher severity reports first.\n\n2022-05-09\nWe have recently added four additional assets to this program!  These new Smartsheet assets include our developer marketplace, mobile apps and help site. \n\n2022-03-14\nWe have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!\n\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.\n* No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* No spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you.\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n* Only test using an X-Bug-Bounty:\u003cyour_h1_username\u003e http header so we can identify your requests easily.\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n* Sub-domain Take-Over\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-09T21:42:23.212Z"},{"id":3672548,"new_policy":"# Program Update\n2022-06-09\nWe appreciate your patience while we aggressively work to clear out a backlog of bug bounty reports and begin paying bounties again as of mid-July starting with higher severity reports first.\n\n2022-05-09\nWe have recently added four additional assets to this program!  These new Smartsheet assets include our developer marketplace, mobile apps and help site. \n\n2022-03-14\nWe have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!\n\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.\n* No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* No spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you.\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n* Only test using an X-Bug-Bounty:\u003cyour_h1_username\u003e http header so we can identify your requests easily.\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-09T13:27:03.615Z"},{"id":3671070,"new_policy":"# Program Update\n2022-05-09\nWe have recently added four additional assets to this program!  These new Smartsheet assets include our developer marketplace, mobile apps and help site. \n\n2022-03-14\nWe have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!\n\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No security scanners or tools which may cause denial of service or generate repetitive scraping-like behavior against our web services or websites.\n* No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* No spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you.\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n* Only test using an X-Bug-Bounty:\u003cyour_h1_username\u003e http header so we can identify your requests easily.\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-10T17:02:32.305Z"},{"id":3671015,"new_policy":"# Program Update\n2022-05-09\nWe have recently added four additional assets to this program!  These new Smartsheet assets include our developer marketplace, mobile apps and help site. \n\n2022-03-14\nWe have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!\n\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Avoid spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-10T01:37:37.456Z"},{"id":3671011,"new_policy":"# Program Update\n2022-05-09\nOur program is accepting submissions again. We recently added 6 additional assets to this program!  These new Smartsheet assets include our developer marketplace, mobile apps, and help site.\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n##### [rm.smartsheet.com](https://rm.smartsheet.com)\n* Use your @wearehackerone.com email to sign up for Smartsheet trial account.\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.rm.shartsheet.com](https://api.rm.smartsheet.com)\n* API for the rm.smartsheet.com application\n* After signing up for a trial account, [generate an API token](https://github.com/10Kft/10kft-api/blob/master/sections/first-things-first.md#authentication) to use with the API\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Avoid spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-09T22:07:25.141Z"},{"id":3670992,"new_policy":"# Program Update\n2022-03-14\nWe have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!\n\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n##### [rm.smartsheet.com](https://rm.smartsheet.com)\n* Use your @wearehackerone.com email to sign up for Smartsheet trial account.\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.rm.shartsheet.com](https://api.rm.smartsheet.com)\n* API for the rm.smartsheet.com application\n* After signing up for a trial account, [generate an API token](https://github.com/10Kft/10kft-api/blob/master/sections/first-things-first.md#authentication) to use with the API\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Avoid spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-09T17:38:55.050Z"},{"id":3670989,"new_policy":"# Program Update\n2022-03-14\nWe have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!\n\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n##### [help.smartsheet.com](https://help.smartsheet.com) and [developers.smartsheet.com](https://developers.smartsheet.com)\n* No login required / supported\n\n##### iOS Application and Android Application\n* Use your @wearehackerone.com email to sign up for Smartsheet developer account: [https://developers.smartsheet.com/register/](https://developers.smartsheet.com/register/)\n\n##### [rm.smartsheet.com](https://rm.smartsheet.com)\n* Use your @wearehackerone.com email to sign up for Smartsheet trial account.\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n##### [api.rm.shartsheet.com](https://api.rm.smartsheet.com)\n* API for the rm.smartsheet.com application\n* After signing up for a trial account, [generate an API token](https://github.com/10Kft/10kft-api/blob/master/sections/first-things-first.md#authentication) to use with the API\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Avoid spamming. If you want to test a scenario that might result in spam, please contact us at [mailto:\\\\bugbounty@smartsheet.com](bugbounty@smartsheet.com)\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-09T16:56:21.217Z"},{"id":3668032,"new_policy":"# Program Update\n2022-03-14\nWe have paused the program effective immediately and plan on opening submissions in the near future. We appreciate all your hard work and patience!\n\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n2021-11-01\nWith the holiday season approaching, we will be slower to respond in the coming months. We appreciate all your hard work and wish you continued success!\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-14T19:14:49.232Z"},{"id":3663001,"new_policy":"# Program Update\n2021-12-14\nWe have received numerous reports for the log4j (CVE-2021-44228) vulnerability and any new submissions will be treated as a duplicate and not be rewarded a bounty. We ask that you focus efforts on other vulnerabilities in our program.\n\n2021-11-01\nWith the holiday season approaching, we will be slower to respond in the coming months. We appreciate all your hard work and wish you continued success!\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-14T14:26:38.470Z"},{"id":3661923,"new_policy":"# Program Update\nWith the holiday season approaching, we will be slower to respond in the coming months. We appreciate all your hard work and wish you continued success!\n\n# Introduction\nSmartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-18T15:24:45.202Z"},{"id":3636870,"new_policy":"Smartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-29T19:45:09.603Z"},{"id":3636814,"new_policy":"Smartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Rewards\nOur bounty table provides general guidelines, and all final decisions are at the discretion of Smartsheet.\nWell written submissions and friendly hackers may be subject to additional rewards.\n\n### Bounty Reward Ranges\n| Priority \t| Critical Severity\t| Low Severity Targets  |\n|----------\t|:------------------:\t|:--------------------: |\n| Critical      | $1250 - $2500   |     $600 - $1000 \t\t  |\n| High\t  \t|   $750 - $1500   |     $350 - $750    \t\t  |\n| Medium       \t|  $200 - $850   |     $150 - $500    \t\t  |\n| Low        \t|    $50 - $250   |     $50 - $200    \t\t  |\n| Informational  |   $0    \t\t      |     $0     \t\t  |\n\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n##### [admin.smartsheet.com](https://help.smartsheet.com/articles/2481889-admin-center-overview)\n* To access the Admin Center, log in with your test credentials at https://admin.smartsheet.com/\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-28T23:43:13.677Z"},{"id":3611773,"new_policy":"Smartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Rewards\nOur bounty table provides general guidelines, and all final decisions are at the discretion of Smartsheet.\nWell written submissions and friendly hackers may be subject to additional rewards.\n\n### Bounty Reward Ranges\n| Priority \t| Critical Severity\t| Low Severity Targets  |\n|----------\t|:------------------:\t|:--------------------: |\n| Critical      | $1250 - $2500   |     $600 - $1000 \t\t  |\n| High\t  \t|   $750 - $1500   |     $350 - $750    \t\t  |\n| Medium       \t|  $200 - $850   |     $150 - $500    \t\t  |\n| Low        \t|    $50 - $250   |     $50 - $200    \t\t  |\n| Informational  |   $0    \t\t      |     $0     \t\t  |\n\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-12T18:57:50.857Z"},{"id":3609175,"new_policy":"Smartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Rewards\nOur bounty table provides general guidelines, and all final decisions are at the discretion of Smartsheet.\nWell written submissions and friendly hackers may be subject to additional rewards.\n\n### Bounty Reward Ranges\n| Priority \t| Critical Severity\t| Low Severity Targets  |\n|----------\t|:------------------:\t|:--------------------: |\n| Critical      | $1250 - $2500   |     $600 - $1000 \t\t  |\n| High\t  \t|   $750 - $1500   |     $350 - $750    \t\t  |\n| Medium       \t|  $200 - $850   |     $150 - $500    \t\t  |\n| Low        \t|    $100 - $250   |     $50 - $200    \t\t  |\n| Informational  |   $0    \t\t      |     $0     \t\t  |\n\n\n# Targets and Test Plan\n**Only test using @wearehackerone.com accounts, unless otherwise specified.**\n**More detailed access instructions and documentation can be found in the Structured Scope section of this brief.**\n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-09T18:53:54.043Z"},{"id":3607332,"new_policy":"Smartsheet is a cloud-based work execution platform that empowers collaboration, drives better decision making, and accelerates innovation for over 78,000 brands in 190 countries, including more than 75% of the Fortune 500. Smartsheet complements existing enterprise investments by deeply integrating with applications from Microsoft, Google, Salesforce, Jira, Slack and many others.\n\nWe appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Rewards\nOur bounty table provides general guidelines, and all final decisions are at the discretion of Smartsheet.\nWell written submissions and friendly hackers may be subject to additional rewards.\n\n### Bounty Reward Ranges\n| Priority \t| Critical Severity\t| Low Severity Targets  |\n|----------\t|:------------------:\t|:--------------------: |\n| Critical      | $1250 - $2500   |     $600 - $1000 \t\t  |\n| High\t  \t|   $750 - $1500   |     $350 - $750    \t\t  |\n| Medium       \t|  $200 - $850   |     $150 - $500    \t\t  |\n| Low        \t|    $100 - $250   |     $50 - $200    \t\t  |\n| Informational  |   $0    \t\t      |     $0     \t\t  |\n\n\n# Targets and Test Plan\nOnly test using @wearehackerone.com accounts, unless otherwise specified.\nMore detailed access instructions and documentation can be found in the Structured Scope section of this brief. \n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-10T20:47:36.313Z"},{"id":3607331,"new_policy":"We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Rewards\nOur bounty table provides general guidelines, and all final decisions are at the discretion of Smartsheet.\nWell written submissions and friendly hackers may be subject to additional rewards.\n\n### Bounty Reward Ranges\n| Priority \t| Critical Severity\t| Low Severity Targets  |\n|----------\t|:------------------:\t|:--------------------: |\n| Critical      | $1250 - $2500   |     $600 - $1000 \t\t  |\n| High\t  \t|   $750 - $1500   |     $350 - $750    \t\t  |\n| Medium       \t|  $200 - $850   |     $150 - $500    \t\t  |\n| Low        \t|    $100 - $250   |     $50 - $200    \t\t  |\n| Informational  |   $0    \t\t      |     $0     \t\t  |\n\n\n# Targets and Test Plan\nOnly test using @wearehackerone.com accounts, unless otherwise specified.\nMore detailed access instructions and documentation can be found in the Structured Scope section of this brief. \n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* We practice the [mutual agreement](https://www.hackerone.com/disclosure-guidelines) disclosure process.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-10T20:35:38.836Z"},{"id":3606786,"new_policy":"We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a foundational belief at Smartsheet. Every day new security issues and attack vectors emerge. Smartsheet strives to keep abreast of the latest security developments by, in part, working with world-class security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# Response Targets\nSmartsheet will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to first Smartsheet response (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Rewards\nOur bounty table provides general guidelines, and all final decisions are at the discretion of Smartsheet.\nWell written submissions and friendly hackers may be subject to additional rewards.\n\n### Bounty Reward Ranges\n| Priority \t| Critical Severity\t| Low Severity Targets  |\n|----------\t|:------------------:\t|:--------------------: |\n| Critical      | $1250 - $2500   |     $600 - $1000 \t\t  |\n| High\t  \t|   $750 - $1500   |     $350 - $750    \t\t  |\n| Medium       \t|  $200 - $850   |     $150 - $500    \t\t  |\n| Low        \t|    $100 - $250   |     $50 - $200    \t\t  |\n| Informational  |   $0    \t\t      |     $0     \t\t  |\n\n\n# Targets and Test Plan\nOnly test using @wearehackerone.com accounts, unless otherwise specified.\nMore detailed access instructions and documentation can be found in the Structured Scope section of this brief. \n\n##### [app.smartsheet.com](https://app.smartsheet.com/b/home)\n* Use your @wearehackerone.com email to sign up for a [developer account](https://developers.smartsheet.com/register/)\n* Additional accounts can be created using yourusername+whatever@wearehackerone.com\n\n\n##### [api.smartsheet.com/2.0](https://smartsheet-platform.github.io/api-docs/)\n* After signing up for a developer account, [generate an API token](https://smartsheet-platform.github.io/api-docs/#authentication-and-access-tokens) to use with the API\n\n\n# Focus Areas\n* Account Takeover (do not test against customer accounts)\n* Privilege Escalation\n* Customer information disclosure and manipulation\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we will only award the first report that was received (provided that it can be fully reproduced).\n* Multiple issues that are caused by a single underlying vulnerability will be awarded one bounty or marked as duplicates at the discretion of Smartsheet.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Restrictions\n* No DoS \u0026 DDoS testing\n* No Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Automated scanners MUST BE single threaded / rate limited\n* Only test against Smartsheet accounts that belong to you\n* Only test against public web-forms that belong to your test account. (Early Adopter Program, Abuse Report, Contact Me forms, Feedback Forms, etc. are out of scope.)\n\n# Out of Scope / Not applicable\n* Executables as attachments.\n* Attacks requiring MITM or physical access to a user's device\n* Best practices in SSL/TLS configuration\n* Clickjacking on pages with no sensitive actions\n* Unauthenticated/logout/login CSRF\n* CSRF on public (published and embedded) sheets\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Spam and Email Abuse\n\n# Accepted Business Risks\n*  Enumeration or disclosure of users and groups within own organization\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Smartsheet.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n### Legal Stuff\n\nAs a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.\n\nYou must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.\n\nDo not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.\n\nWe may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-02T19:12:09.740Z"}]