Vulnerability Disclosure Policy

SharpSpring from Constant Contact (SharpSpring) takes the security of our platforms and our users’ data very seriously. If you have discovered or believe you have discovered potential security vulnerabilities in a SharpSpring service, we encourage you to disclose your discovery to us as quickly as possible in accordance with this Vulnerability Disclosure Program. Please note that the Vulnerability Disclosure Program is different from a bug bounty. The Vulnerability Disclosure Program allows ethical hackers to find and report vulnerabilities but it does not provide monetary compensation. SharpSpring reserves the right to accept or reject any submission.

Safe Harbor

If you discover and report security vulnerabilities in accordance with this [Vulnerability Disclosure Program], we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this Voluntary Disclosure Policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Service that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this [Vulnerability Disclosure Program]; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this [Vulnerability Disclosure Program], please contact us before going any further.

Eligibility

You may not participate in this program if you are an employee or family member of an employee, or a current vendor or employee of such vendor, of SharpSpring of any of its subsidiaries. You are also prohibited from participating if you are (i) in a country or territory that is the target of U.S. sanctions (including Cuba, Iran, Syria, North Korea, or the Crimea region of Ukraine), (ii) designated as a Specially Designated National or Blocked Person by the U.S. Department of the Treasury’s Office of Foreign Assets Control or otherwise owned, controlled, or acting on behalf of such a person or entity, or (iii) otherwise a prohibited party under U.S. trade and export control laws.

Discretionary Disclosure Policy:

Because public disclosure of a security vulnerability could put the entire SharpSpring community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. Therefore, public disclosure of the submission details of any identified or alleged vulnerability without express written consent from SharpSpring will deem the submission as noncompliant with this Vulnerability Disclosure Policy. 

Discovering Security Vulnerabilities

We encourage responsible security research on the SharpSpring services and products. We allow you to conduct vulnerability research and testing on the SharpSpring services and products to which you have authorized access. In no event shall your research and testing involve, without limitation:

  • Accessing, or attempting to access, accounts or data that do not belong to you or your authorized users,
  • Any attempt to download, modify, or destroy any data,
  • Executing, or attempting to execute, a denial of service attack,
  • Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages,
  • Testing third party websites, applications or services that integrate with any SharpSpring services,
  • Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade the SharpSpring services.
  • Any activity that violates any applicable law.

Reporting In-Scope Security Vulnerabilities

If you believe you have discovered a security vulnerability issue, please share the details with SharpSpring by completing our Submission Form. We will work with you to validate and respond to security vulnerabilities that you report to us. Your report will be forwarded to our partner (BugCrowd) for timely acknowledgement and verification. You are rewarded “points” for each validly accepted report made. You must be the first person to report the bug to earn all possible points.

If you are unable to use the web form or prefer to submit the report as a document please send an email to vulnerability@constantcontact.com with the report attached. At a minimum, you must include the following information:

  1. Your email
  2. The bug type
  3. The url or location of the defect
  4. Who or what is affected
  5. A detailed description of the vulnerability
  6. Steps to reproduce
  7. Any trace dump/WGET/http request information
  8. Any information about parameters affected, cookies etc.

Please do not send vulnerability emails directly to SharpSpring employees. Verified issues will be passed to our development teams for remediation on a timeline commensurate with the severity of the issue (as defined by the BugCrowd Vulnerability Rating Taxonomy). {https://bugcrowd.com/vulnerability-rating-taxonomy}

Email communication between you and SharpSpring, including without limitation, emails you send to SharpSpring reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to SharpSpring shall be considered non-proprietary. SharpSpring, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting.

 

Out-of-Scope 

The following is a partial list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:

  • CSRF on forms that are available to anonymous users
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Domain Name System Security Extensions (DNSSEC) configuration suggestions
  • Banner disclosure on common/public services
  • HTTP/HTTPS/SSL/TLS security header configuration suggestions
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Phishing or Social Engineering Techniques
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Sender Policy Framework (SPF) configuration and Domain-based Message Authentication, Reporting & Conformance (DMARC) suggestions

By participating in this Vulnerability Disclosure Program, you acknowledge that you have read and agree to SharpSpring’s Terms of Service and Privacy Notice, as well as BugCrowd’s Standard Disclosure Terms. In the event of any conflict between SharpSpring’s Terms of Service and BugCrowd’s Standard Disclosure Terms, SharpSpring’s Terms of Service shall control.