No technology is perfect, and Gleam.io believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Exclusions
While researching, we'd like to ask you to refrain from:
- Denial of service
- Spamming
- Social engineering (including phishing) of Gleam.io staff or contractors
- Any physical attempts against Gleam.io property or data centers
- Vulnerabilities that require access to the user's device
- When raising XSS, check that the domain is able to attack our main domains. We use preview.gleam.io to prevent custom user HTML performing XSS on our main domains.
Reward guidelines
- Interesting - $50-300: E.g. We've configured our system in a way that could give a hacker a foothold
- Dangerous - $300-600: E.g. Stored XSS, Information leakage
- Disastrous - $1200: E.g. SQLi, RCE
Additional permissions
If you've found bug or have a high HackerOne rep, we'll give you a test account that includes the paid features of our app.
Discretion
Bounty payments and what constitutes a bug are solely at our discretion. We'll be as transparent as possible about our decision process but sometimes we could end up disagreeing. Try to be understanding.
Thank you for helping keep Gleam.io and our users safe!
