Introduction to Omnisend Bug Bounty Program
Omnisend, the top-rated marketing automation platform for ecommerce, values the security of its business and customers. To help maintain a secure environment, Omnisend has established a Bug Bounty disclosure program. This program encourages security researchers and experts to collaborate with the company in identifying and reporting security vulnerabilities. By partnering with the security community, Omnisend aims to continuously improve its security measures and protect user data.
Program Guidelines for Bug Bounty
Participating in the Omnisend Bug Bounty program requires adherence to specific rules and guidelines to ensure the effectiveness of the collaboration. Security researchers are expected to provide detailed reports with reproducible steps when identifying a security issue. This includes thorough documentation of the steps taken to discover the vulnerability, enabling Omnisend's security team to replicate and verify the issue. Submitting one vulnerability per report is recommended, unless the researcher needs to chain vulnerabilities to demonstrate impact.
Scope of Bug Bounty Program
The Bug Bounty program offered by Omnisend covers various aspects of the company's ecosystem, including the web application, marketing site, Wordpress plugins, App Market, Developer Center, API endpoint, and the Partner portal. These areas are open for security assessment, allowing researchers to uncover vulnerabilities and report them for review and resolution. It is essential to consider the scope of the Bug Bounty program when conducting security testing to ensure that the identified issues fall within the eligible domains.
Out-of-Scope Vulnerabilities
While the Omnisend Bug Bounty program encourages the discovery of security vulnerabilities for eligible components, certain types of vulnerabilities are considered out-of-scope. These include phishing attempts, social engineering tactics, denial of service attacks, and known or planned fixes such as missing CSRF tokens. Researchers are advised to focus on finding vulnerabilities within the defined scope of the program to increase the chances of qualifying for rewards and recognition.
Contact and Reporting Process
Security researchers who identify potential security vulnerabilities within Omnisend's platforms are encouraged to report their findings promptly. The company has provided a dedicated email address, security@omnisend.com, for researchers to submit their reports. By following the guidelines outlined in the Bug Bounty program and promptly reporting any identified issues, researchers contribute to the enhancement of Omnisend's overall security posture, ensuring a safer environment for all users.