Vagaro - Vulnerability Disclosure Program

Vagaro is pleased to introduce the Vulnerability Disclosure Program. This initiative is designed to facilitate the exchange of information regarding potential security vulnerabilities, establish guidelines for vulnerability testing, and provide a Safe Harbor to individuals who adhere to the rules below.

If you are a security researcher and would like to report a potential security vulnerability in any of Vagaro’s online services, please submit the details below for our security teams to evaluate and investigate. Our security team will validate and engage with security researchers for the next steps.

PROGRAM

Safe Harbor

Vagaro will not take legal action against you related to any activities conducted consistent with this Policy and otherwise in good faith. Vagaro reserves all its legal rights in the event of noncompliance with this policy.

Program Rules

Don't create accounts just for the purpose of testing.
No destructive automated testing - under no circumstance should automated testing cause intentional damage to Vagaro systems.
Don't leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
Report any suspected or confirmed vulnerabilities you discover in a timely manner.
Do not violate the privacy of others, disrupt our systems, destroy data, and/or harm the user experience.
If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal Information, credit card data, or proprietary information) – you are not authorized to access any Vagaro data.
Keep the details of any discovered vulnerabilities confidential.
Do not initiate any unauthorized financial transaction.
Do not violate any national, state, or local laws or regulations.
Don’t attempt to extort us.
Don’t leave any system in a more vulnerable state than you found it.
Don’t publicly disclose vulnerabilities without our explicit consent.
Do respect our member's privacy.
Do be respectful when interacting with our team.
This safe harbor provision exclusively pertains to Vagaro platforms.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Social engineering (e.g. phishing, vishing, smishing, spear phishing, etc.).
Bugs that have no security impact.
Clickjacking on pages with no sensitive actions.
Previously known vulnerable libraries without a working Proof of Concept.
Missing best practices in SSL/TLS configuration. Missing security headers or cookie flags.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Self-XSS, which includes any payload entered by the victim or via cookies.
Infrastructure vulnerabilities including Issues related to SSL certificates, DNS Configuration issues, Server configuration issues (e.g. open ports, TLS versions etc.).
Vulnerabilities that only affect users of outdated or unpatched browsers and/or platforms.
Any other submission determined to be low risk based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.
Reverse Tabnabbing.
Website defacement.
CSV Injection.
Vulnerabilities found only using Automated Scanner.

PROGRAM

Safe Harbor

Program Rules

Don't create accounts just for the purpose of testing.
No destructive automated testing - under no circumstance should automated testing cause intentional damage to Vagaro systems.
Don't leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
Report any suspected or confirmed vulnerabilities you discover in a timely manner.
Do not violate the privacy of others, disrupt our systems, destroy data, and/or harm the user experience.
If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal Information, credit card data, or proprietary information) – you are not authorized to access any Vagaro data.
Keep the details of any discovered vulnerabilities confidential.
Do not initiate any unauthorized financial transaction.
Do not violate any national, state, or local laws or regulations.
Don’t attempt to extort us.
Don’t leave any system in a more vulnerable state than you found it.
Don’t publicly disclose vulnerabilities without our explicit consent.
Do respect our member's privacy.
Do be respectful when interacting with our team.
This safe harbor provision exclusively pertains to Vagaro platforms.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Social engineering (e.g. phishing, vishing, smishing, spear phishing, etc.).
Bugs that have no security impact.
Clickjacking on pages with no sensitive actions.
Previously known vulnerable libraries without a working Proof of Concept.
Missing best practices in SSL/TLS configuration. Missing security headers or cookie flags.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Self-XSS, which includes any payload entered by the victim or via cookies.
Infrastructure vulnerabilities including Issues related to SSL certificates, DNS Configuration issues, Server configuration issues (e.g. open ports, TLS versions etc.).
Vulnerabilities that only affect users of outdated or unpatched browsers and/or platforms.
Any other submission determined to be low risk based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.
Reverse Tabnabbing.
Website defacement.
CSV Injection.
Vulnerabilities found only using Automated Scanner.

PROGRAM

Safe Harbor

Program Rules

Don't create accounts just for the purpose of testing.
No destructive automated testing - under no circumstance should automated testing cause intentional damage to Vagaro systems.
Don't leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
Report any suspected or confirmed vulnerabilities you discover in a timely manner.
Do not violate the privacy of others, disrupt our systems, destroy data, and/or harm the user experience.
If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal Information, credit card data, or proprietary information) – you are not authorized to access any Vagaro data.
Keep the details of any discovered vulnerabilities confidential.
Do not initiate any unauthorized financial transaction.
Do not violate any national, state, or local laws or regulations.
Don’t attempt to extort us.
Don’t leave any system in a more vulnerable state than you found it.
Don’t publicly disclose vulnerabilities without our explicit consent.
Do respect our member's privacy.
Do be respectful when interacting with our team.
This safe harbor provision exclusively pertains to Vagaro platforms.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Social engineering (e.g. phishing, vishing, smishing, spear phishing, etc.).
Bugs that have no security impact.
Clickjacking on pages with no sensitive actions.
Previously known vulnerable libraries without a working Proof of Concept.
Missing best practices in SSL/TLS configuration. Missing security headers or cookie flags.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Self-XSS, which includes any payload entered by the victim or via cookies.
Infrastructure vulnerabilities including Issues related to SSL certificates, DNS Configuration issues, Server configuration issues (e.g. open ports, TLS versions etc.).
Vulnerabilities that only affect users of outdated or unpatched browsers and/or platforms.
Any other submission determined to be low risk based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.
Reverse Tabnabbing.
Website defacement.
CSV Injection.
Vulnerabilities found only using Automated Scanner.