Bounty Program

Glia Technologies is committed to treating our customers’ data with the utmost care. As part of this, we welcome security researchers to put our security to the test and we offer a variety of rewards for doing so.

This page is intended for security researchers. For general information about security at Glia Technologies, please see our main website.

Program Rules

  • Automated testing is not permitted.
  • Test only with your own team(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations or other confidential information) while investigating an issue, you must disclose this in your report.
  • You must be the first person to report the issue to us. We will review duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.
  • We award bounties at time of fix, and will keep you posted as we work to resolve them.
  • Contacting anyone in the organization outside of bounty-hunters@glia.atlassian.net will result in an immediate disqualification for a bounty for that report.
  • We will endeavour to investigate and respond to all valid reports. We prioritise evaluations based on risk and multiple other factors, and it may take some time before you receive a reply.
  • Do not disclose the issue to the public or a third-party for at least 30 days. In some cases we may request an extension of this period to up to 180 days


Bug Bounty Rewards

The following guidelines give you an idea of what we usually pay out for different classes of bugs. Low-quality reports may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue. Step-by-step instructions including how to reproduce are preferred. Screenshots and videos are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.

There is no maximum reward - particularly creative or severe bugs will be rewarded accordingly. Depending on the severity of the bug, and the quality of your report, we may pay a lower-tier bug out at a higher level.

Severity
Critical
High
Medium
Low
CVSSv3
9.0 - 10.0
7.0 - 8.9
4.0 - 6.9
2.0 - 3.9
Min
$5000
$2500
$1000
$200

Tier 3: Low Severity Bugs $200 and up

  • Mixed content issues
  • "Tab-Nabbing" or other rel="noopener" bugs
  • Self-XSS (XSS requiring interaction other than browsing to exploit)
  • Server misconfiguration or provisioning errors
  • Information leaks or disclosure (excluding customer data)
  • And other low-severity issues

Tier 2: Medium Severity Bugs $1000 and up

  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • Broken Authentication affecting a organization
  • Privilege Escalation affecting a single organization
  • SSRF to an internal service, hosted by Glia Technologies (e.g. Applets)
  • Information leaks or disclosure (including customer data)
  • And other medium-severity issues

Tier 1: High Severity Bugs $2500 and up

  • XSS

Tier 0: Critical Severity Bugs $5000 and up

  • SQL Injection
  • Remote Code Execution
  • Privilege Escalation affecting all teams
  • Broken Authentication affecting all teams
  • SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
  • And other critical-severity issues

What’s In Scope

  • *.glia.com
  • *.glia.eu
  • *.salemove.com
  • *.salemove.eu
  • Tier-0 bugs only for the following:
  • *.glia.com
  • *.glia.eu
  • *.salemove.com
  • *.salemove.eu
  • Current versions of the official Glia Technologies applications for Windows, Mac, Linux, iOS, and Android
  • Apps that are maintained by Glia Technologies itself (and not 3rd party applications). To identify apps that are in scope for bug bounty, please note that apps may differ from Glia Technologies production, depending on the impact of an issue.

Testing notes

  • Cookie Scope: the only sensitive cookies in the Glia Technologies product reside on .glia.com, .glia.eu, .salemove.com, .salemove.eu only.

Exclusions

The following bugs are unlikely to be eligible for a bounty:

  • CSV Injection
  • Issues found through automated testing
  • Vulnerabilities that are already known to Glia (i.e. discovered internally or already reported by another bounty hunter)
  • "Scanner output" or scanner-generated reports
  • Publicly-released bugs in internet software within 3 days of their disclosure
  • "Advisory" or "Informational" reports that do not include any Glia Technologies-specific testing or context
  • Vulnerabilities requiring physical access to the victim's unlocked device
  • Network Level DDoS/DoS attacks. Application volumetric DDoS/DoS attacks are also forbidden: if you find a request that takes too long to answer, report it, but please do not try to DoS the service.
  • Brute Force attacks
  • Spam or Social Engineering techniques, including:
  • SPF, DKIM or DMARC issues
  • Content injection
  • Hyperlink injection in emails
  • IDN homograph attacks
  • RTL Ambiguity
  • Content Spoofing
  • Issues relating to Password Policy
  • Full-Path Disclosure on any property
  • Version number information disclosure
  • Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Reports related to the following security-related headers:
  • Strict Transport Security (HSTS)
  • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
  • X-Content-Type-Options
  • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Bugs that do not represent any security risk - these should be reported to operations@glia.com.
  • Security bugs in blog.glia.com - this site runs on WordPress, so if you find vulnerabilities in the WordPress service, please see WordPress bounty program for reporting details
  • Security bugs in status.glia.com - this site runs on atlassian Status Page please see atlassian bounty program for reporting details
  • The following findings that often get reported, but in fact are not security issues:
  • Rate limiting on "Request for a demo" pages (those pages are hosted with Adobe Marketo, please refer to Adobe bounty program for reporting details)
  • WAF bypass on blog.glia.com (the Origin IP that the attacker sees is in fact a load balancer, not the target server)
  • Security bugs in third-party applications or services built on the Glia Technologies API - please report them to the third party that built the application or service
  • Security bugs in software related to an acquisition for a period of 90 days following any public announcement
  • Enterprise Mobility Management
  • Submissions from current or former Glia Technologies employees within one year of their departure from Glia Technologies


Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.


Legal

If you’re on the US sanctions list, or live in a country that’s on the sanctions list, we cannot pay you a reward.

We reserve the right to cancel or modify this Program at any time. The decision over an award is entirely at Glia's discretion.