This disclosure program is limited to security vulnerabilities in Trinsly products (the "Service") owned by Chatkick, Inc. ("us", "we", or "our"). This program does not provide monetary rewards for bug submissions.All vulnerabilities affecting Trinsly products should be reported by filling out this Google form.
Eligible Vulnerabilities
We encourage the coordinated disclosure of the following eligible web application vulnerabilities:
Cross-site scripting
Cross-site request forgery in a privileged context
Server-side code execution
Authentication or authorization flaws
Injection Vulnerabilities
Directory Traversal
Information Disclosure
Significant Security Misconfiguration
Methods to extend product trial periods
To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
Program Exclusions
While we encourage any submission affecting the security of a Trinsly product, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:
Content spoofing / text injection
Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
Logout and other instances of low-severity
Cross-Site Request Forgery
Cross-site tracing (XST)
Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)
Missing http security headers
Missing cookie flags on non-sensitive cookies
Password and account recovery policies, such as reset link expiration or password complexity
Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
SSL/TLS best practices
Clickjacking/UI redressing with no practical security impact
Software version disclosure
Username / email enumeration via Login Page or Forgot Password Page error messages
Process
Your submission will be reviewed and validated by a member of the Trinsly Support Team. Providing clear and concise steps to reproduce the issue will help to expedite the response.
Terms and Conditions
Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
Please do not test for spam, social engineering or denial of service issues.
Your testing must not violate any law, or disrupt or compromise any data that is not your own.
Please fill out this Google form to report security incidents such as customer data leakage or breach of infrastructure.