Rezdy Vulnerability Disclosure and Bounty Policy

Rezdy will be temporarily suspending the bug bounty/rewards program.

We will honour reviewing anything already raised to date and will reach out over the next few months, once we’ve had the opportunity to review.

Rezdy is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is a important means of achieving our security goals.

If you believe you have found a security vulnerability in one of our products, we welcome and greatly appreciate you reporting it to security@rezdy.com, as long as it falls in scope and is not one of the types of vulnerability listed as out-of-scope below.

Scope

Domains IN SCOPE are:

• • app.rezdy.com
  • auth.rezdy.com
  • demo-booking-form.rezdy.com
  • svc-auth.rezdy.com
  • services.rezdy.com
  • secured.rezdy.com

The following items can be reported to us via email, but are out of scope for bounty rewards:

• • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • HTML injection
  • Vulnerabilities related to 3rd-party software, libraries & scripts
  • Content-Security-Policy and X-Frame headers (including clickjacking)
  • Rezdy API keys publicly available
  • CORS configuration

The following items should not be reported:

• • Stack traces
  • Application or server error messages
  • Use of out-of-date 3rd party libraries without proof of exploitability
  • Password or account recovery policies (e.g. reset link expiration, password complexity , session invalidation, login with both email and oauth)
  • Reports from automated web security scanners
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Vulnerabilities only affecting end of life browsers or platforms
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Content spoofing/text injection
  • Presence or absence of HTTP headers (nosniff, HOST, etc.)
  • Server information disclosure (e.g. version, hostname)

Disclosure Policy

To encourage coordinated disclosure, Rezdy does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:

• • Researchers will report details of a discovered security issue to Rezdy without making any information or details of the vulnerability public
  • Researchers will allow Rezdy reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known. Rezdy will commit to provide an initial response to the researcher within 30 days.
  • Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the privacy of any Rezdy customer or data. This includes disrupting or degrading Rezdy’s products and service to its customers.

The following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:

• • Denial of service
  • Spamming
  • Brute-force attacks
  • Social engineering (including phishing) of Rezdy staff or contractors
  • Any physical attempts against Rezdy property
  • Bounty rewards

At this time, we are not automatically awarding bounties or cash rewards for reported vulnerabilities. However, we’re able to reward researchers who find highly critical issues on a case-by-case basis.