Introduction

Superside is dedicated to safeguarding the security of our users and customers. In line with this dedication, we extend an invitation to security researchers to assist us in protecting Superside and our users by proactively identifying security vulnerabilities through our bug bounty program. Our program offers an extensive array of rewards tailored to different types of vulnerabilities, ensuring that your efforts are not only recognized but also duly compensated. We encourage security researchers who wish to participate in our bug bounty program to carefully review this policy for compliance with our rules. Additionally, this will help you safely verify any vulnerabilities you discover.

Scope

• https://app.supersidestaging.com/
• https://internal.supersidestaging.com/
• https://admin.supersidestaging.com/
• https://api.supersidestaging.com/
• https://api-internal.supersidestaging.com/

Testing is only authorized on the targets listed as in scope. Any domain/property of Superside not listed in the targets section is out of scope. This includes any/all subdomains not listed above. However, if you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Superside, you can report it in this program.

Guidelines

• Testing is prohibited on the production environment.
  The domain superside.com and all of it’s subdomains *.superside.com are out of scope, testing is only authorized on staging environment *.supersidestaging.com which hosts targets in scope.
• Researchers must not disclose or exploit any vulnerabilities found, except for the sole purpose of testing and reporting the vulnerability to Superside in terms of this policy.
• If sensitive information, such as personal information, credentials, etc., is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be deleted and may not be retained.
• Researchers must not publicly disclose any vulnerabilities before Superside has had a reasonable opportunity to remediate them and without prior written consent.
• Researchers must not access or attempt to access any data or systems that are not directly related to the vulnerability report.
• Researchers must comply with all applicable laws and regulations, including data protection laws, when participating in the bug bounty program.
• Superside will make every effort to respond to vulnerability reports in a timely manner and to remediate vulnerabilities as soon as possible.

Eligibility

• Individuals submitting a vulnerability report for consideration must have attained the minimum age to be able to participate in this program in terms of the laws of the country in which they reside and in any event must be at least 18 years of age.
• Employees, contractors and past contractors of Superside are not eligible for participation in this program.
• Vulnerability reports must be submitted responsibly and in good faith, without causing harm to Superside or its users.
• Individuals who have been involved in black hat hacking activities or have been convicted of any computer or cybercrime activities are not eligible to participate in the bug bounty program.
• Individuals from countries that are currently subject to U.S. Office of Foreign Assets Control (OFAC) sanctions, are on the OFAC Specially Designated Nationals and Blocked Persons List, or other relevant international sanctions are not eligible to participate in the bug bounty program.

Reporting

• Vulnerability reports should be submitted via email to Superside’s Security Team, using the following email security@superside.com.
• The report should include detailed information on the vulnerability, including:
  • Vulnerability Type (e.g., XSS, SQLI, RCE, etc.)
  • URL / Location of vulnerability
  • Suggested severity
  • Technical description and potential impact
  • Proof of concept
  • Steps to reproduce
  • attachments if any (only images and videos are allowed)
  • any additional notes or comments
• Please include any plans or intentions for public disclosure.

Accepted Vulnerabilities

Vulnerabilities that are considered valid reports for our Bug Bounty Program can be found here with the following exclusions:

Exclusions

• Denial of Service attacks
• Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
• Attacks requiring physical access to a user's device
• Mail configuration issues including SPF, DKIM, DMARC settings
• IDORs using UUIDs without a direct way to enumerate those UUIDs
• EXIF metadata stripping related reports
• Third-party applications and third-party APIs

Response SLA

• First response time: 2-5 business days
• Triage time: 2-5 business days from the first response
• Bounty time: middle of the next calendar month

Rewards

• Only the first individual to submit a valid vulnerability report will receive a reward.
• Reports must be submitted within the program's scope to be eligible for a reward.
• Reports must be new and not already known or reported to Superside.
• Rewards may be granted at the sole discretion of Superside and based on the severity and impact of the vulnerability reported.
• Superside will determine the reward amount and is under no obligation to provide an explanation for the reward granted or not granted.

Reward range by severity level:

• Critical: 2000$ ~ 3000$
• High: 1000$ ~ 1500$
• Medium: 400$ ~ 600$
• Low: 50$ ~ 200$

Payments

All rewards determined by Superside will be paid exclusively through wire transfers to eligible individuals in the calendar month following the month in which the vulnerability report is approved by Superside. For example, reports accepted in June will be rewarded in July.

Safe Harbor

Superside will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for the currently listed Superside products. We agree not to pursue legal action against individuals who:

• Engage in testing of systems/research without harming Superside or its customers/users.
• Engage in vulnerability testing within the scope of our bug bounty program.
• Adhere to the laws of their location and the location of Superside. For example, violating laws that would only result in a claim by Superside (and not a criminal claim) may be acceptable as Superside is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Legal

• By submitting a vulnerability report, researchers agree to release Superside from any and all legal claims and liabilities the researcher may have against Superside.
• Any legal disputes arising from this Policy and/or Superside’s bug bounty program shall be governed by, and construed in accordance with, the laws of the State of Delaware without regard to its rules of conflict of laws and without regard to the United Nations Convention on Contracts for the International Sale of Goods.
• Superside will not take any legal action against researchers who submit vulnerability reports in accordance with this policy, provided that the researcher does not violate this policy or any applicable laws or regulations.
• Superside reserves the right to modify or terminate the bug bounty program at any time and for any reason.