As part of Glia’s commitment to security and transparency, we are proud to introduce our Bounty Program. This initiative invites skilled third-party security researchers to assist us in identifying potential vulnerabilities within our software systems. We offer rewards for reports that contribute to the enhancement of our security posture. Participation in this program helps Glia protect our customers and promotes a culture of security across the industry. We look forward to your valuable participation.
This program is intended only for security researchers and participants in the bounty program. For general information about security at Glia Technologies, please see our main website.
Program Rules
- Reporting: Participants are required to report any vulnerabilities directly and exclusively to bounty-hunters@glia.atlassian.net, and must not disclose them to the public or any third party prior to our resolution of the reported issues. Reporting vulnerabilities to anyone in the organization outside of bounty-hunters@glia.atlassian.net will result in a disqualification for a bounty for that report.
- Compliance with Laws: Participants must comply with all applicable local, state, national, and international laws and regulations in connection with their participation in this bug bounty program. Bounties are ineligible for individuals or entities in jurisdictions subject to sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury.
- Data Privacy: Any access to, or handling of, user data should be minimized, and participants must avoid violating the privacy of any user, employee, or company data. Inadvertent or accidental violations of privacy (such as accessing account data, service configurations or other confidential information) must be disclosed in your report.
- Confidentiality: Participants agree not to disclose any information about vulnerabilities found, including but not limited to methods, data, and findings, to any third parties without express written consent from our company. Any sensitive information acquired during the course of vulnerability research must be handled with the utmost care and should not be copied, altered, or destroyed. After a vulnerability has been resolved, any public disclosure of the vulnerability will be at Glia’s discretion.
- Safe Harbor: Activities conducted in a manner consistent with this program will be considered authorized conduct and we will not initiate legal action for such activities. However, we reserve the right to take legal action against participants who engage in unauthorized actions.
- Service Disruption and Malware: Activities must be conducted in a manner that avoids any service disruption or degradation. Testing should not impact other users or our services’ integrity. The introduction of malware or the use of automated tools or scripts for finding vulnerabilities is strictly prohibited.
- Automated Testing: The use of automated tools, scripts, or scanners is prohibited in this bug bounty program.
- Reward Eligibility: Submissions must be original and previously unreported. Duplicate reports will not be eligible for a reward. We will review duplicate bugs to see if they provide additional information, but will otherwise only reward the first reporter.
- Payment Schedule: Bounties will be paid only after the reported vulnerability has been verified and fixed. We will inform the participant of the resolution timeline, and payment will be processed upon successful verification of the fix.
- Glia Discretion: Bounty rewards will be determined at Glia’s discretion. Bounty rewards are not guaranteed. We will endeavor to investigate and respond to all valid reports in a timely manner, but we prioritize evaluations based on risk and multiple other factors that may result in a delayed response.Glia reserves the right to modify the terms of the program or terminate the program at any time.
Bug Bounty Rewards
The following guidelines give you an idea of what we may pay out for different classes of bugs. Low-quality reports may be excluded entirely or rewarded below these tiers, so please make sure that there is a valid attack scenario with enough information for us to be able to reproduce your issue to qualify for a reward - we consider this to be a critical element of vulnerability research. Screenshots and videos are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.
There is no maximum reward - particularly creative or severe bugs will be rewarded accordingly. Depending on the severity of the bug, and the quality of your report, we may pay a lower-tier bug out at a higher level.
Tier 3: Low Severity Bugs $200 and up
- Mixed content issues
- "Tab-Nabbing" or other rel="noopener" bugs
- Self-XSS (XSS requiring interaction other than browsing to exploit)
- Server misconfiguration or provisioning errors
- Information leaks or disclosure (excluding customer data)
- And other low-severity issues
Tier 2: Medium Severity Bugs $1000 and up
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF), except for in “sandbox” domains unless you can gain access to sensitive user data
- Broken Authentication affecting a organization
- Privilege Escalation affecting a single organization
- SSRF to an internal service, hosted by Glia Technologies (e.g. Applets)
- Information leaks or disclosure (including customer data)
- And other medium-severity issues
Tier 1: High Severity Bugs $2500 and up
Tier 0: Critical Severity Bugs $5000 and up
- SQL Injection
- Remote Code Execution
- Privilege Escalation affecting all teams
- Broken Authentication affecting all teams
- SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
- And other critical-severity issues
- Current versions of the official Glia Technologies applications for Windows, Mac, Linux, iOS, and Android
- Apps that are maintained by Glia Technologies itself (and not 3rd party applications). To identify apps that are in scope for bug bounty, please note that apps may differ from Glia Technologies production, depending on the impact of an issue.
What’s In Scope
Most Glia-owned web services that handle reasonably sensitive user data are intended to be in scope. A design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope. The web services in scope include the content in the following domains:
- *.glia.com - see exclusions for a list of domains that are not in scope
- *.glia.eu
- *.salemove.com
- *.salemove.eu
In addition,
- Current versions of the official Glia Technologies applications for Windows, Mac, Linux, iOS, and Android
- Apps that are maintained by Glia Technologies itself (and not 3rd party applications). To identify apps that are in scope for bug bounty, please note that apps may differ from Glia Technologies production, depending on the impact of an issue.
Testing notes
- Cookie Scope: the only sensitive cookies in the Glia Technologies product reside on .glia.com, .glia.eu, .salemove.com, .salemove.eu only.
Exclusions
The following bugs are not eligible for a bounty:
- Third-party websites. Some Glia-branded services hosted may be operated by Glia’s vendors or partners. We do not authorize you to test these systems on behalf of their owners and will not reward such reports. The domains not in scope include, but are not limited to:
- Issues found through automated testing
- URL findings from search engines and indexes (like urlscan, commoncrawl, alienvault, virustotal, wayback machine, Internet archive etc)
- Vulnerabilities that are already known to Glia (i.e. discovered internally or already reported by another bounty hunter)
- "Scanner output" or scanner-generated reports
- CSV Injection
- Publicly-released bugs in internet software within 3 days of their disclosure
- "Advisory" or "Informational" reports that do not include any Glia Technologies-specific testing or context
- Vulnerabilities requiring physical access to the victim's unlocked device
- Network Level DDoS/DoS attacks. Application volumetric DDoS/DoS attacks are also forbidden: if you find a request that takes too long to answer, report it, but please do not try to DoS the service.
- Brute Force attacks
- Spam or Social Engineering techniques, including:
- SPF, DKIM or DMARC issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Content Spoofing
- Issues relating to Password Policy
- Full-Path Disclosure on any property
- Version number information disclosure
- Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
- CSRF-able actions that do not require authentication (or a session) to exploit
- Reports related to the following security-related headers:
- Strict Transport Security (HSTS)
- XSS mitigation headers (X-Content-Type and X-XSS-Protection)
- X-Content-Type-Options
- Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Bugs that do not represent any security risk - these should be reported to operations@glia.com.
- Security bugs in third-party applications or services built on the Glia Technologies API - please report them to the third party that built the application or service
- Security bugs in software related to an acquisition for a period of 90 days following any public announcement
- Enterprise Mobility Management
- Submissions from current or former Glia Technologies employees within one year of their departure from Glia Technologies
