Scope

The following domains and applications are within the scope of this program:

• sqrx.com website, domain, and subdomains
• sqrxlabs.com domain and subdomains
• Disposable Browser and Disposable File Viewer launched via SquareX Chrome Extension / Web App
  • Container breakout to host
  • Getting Internet access inside the container
  • Breaking multitenancy i.e. viewing other user sessions
  • Attacks on Kubernetes
  • Extending the lifetime of the container
• Disposable Email feature in SquareX Chrome Extension and Web App

Not included / Exclusions

• Email and DNS-related issues, such as DMARC, SPF, etc
• Email Bomb
• TLS Version-related issues
• Denial of service
• Rate Limiting
• Crashing the container
• Accessing local files inside the container
• Firebase Configurations Leaks and Authentication Issues
• Server Error Messages (unless critical information is leaked)
• File restriction bypass
• Cross-Origin Resource Sharing (CORS) issues
• Clickjacking
• Missing Security headers
• Cookie flags and headers-related issues
• Bugs without security implications
• Google Analytics (any interaction with *.sqrx.com/track/*)

Rewards

Based on the maximum impact found internally, rewards are classified into the following categories:

• Low: USD 100
• Medium: USD 500
• High: USD 1,000
• Critical: USD 2,000

Reporting the Bug / Finding

To help us evaluate and review your findings, please give us the following information:

• Vulnerability details
• URL Endpoint - The affected web application/API endpoint, e.g. https://public.sqrx.com/display/
• Description:
  • Describe the vulnerability and its impact
  • Steps to replicate the problem
  • Proof of concept (anything you want us to know that helps us understand the findings better)
• Attachment - Screenshots and video recordings
• PayPal account details and scanned copy of government identity card/document (Only when asked for)

The report with the information above should be sent by email to security@sqrx.com (“Report”). The subject of your email needs to follow the format "[Severity] Vulnerability - sqrx.com", where "Severity" can be Low, Medium, High, or Critical which according to you is the severity of the vulnerability. For instance, if you've found a Critical vulnerability, the email subject must be "[Critical] Vulnerability - sqrx.com".

Eligibility

To be eligible for a bounty, you must meet the following requirements:

• You must be the first reporter of the vulnerability
• Vulnerability must be associated with a domain or application listed above and not applicable to the above exclusions
• Vulnerability must have a clearly identified security impact and be presented with enough information for investigation and reproduction by the SquareX team
• You are not a person who is:
  • included on, or affiliated with any person on, the United States Treasury Department's Office of Foreign Assets Control (OFAC) list of “Specially Designated Nationals and Blocked Persons”, the Specially Designated Narcotics Traffickers or Specially Designated Terrorists, or the Annex to Executive Order No. 13224; the Department of State's Debarred List; the United Nations Security Council Consolidated List; the United States Commerce Department's Denied Parties List; or on any other list of targeted persons issued under the economic sanctions laws of any other country; and/or
  • a resident of any country or other territory subject to a general export, import, financial or investment embargo or sanctions administered by OFAC, the United States State Department, the United Nations, the European Union, the United Kingdom, or any member state thereof (e.g. Cuba, Iran, North Korea, Sudan, Syria and the Crimea Region of Ukraine).

Reward Decision

Submissions are evaluated based on their severity in the context of SquareX's technical environment. Please beware that not all submissions may be eligible for a reward/ bounty. The decision made by SquareX's team will be final and binding.

Response Targets

SquareX will strive hard to meet the following response targets for participants of the Bug Bounty Program:

• First Response - Within 2 business days from the date the Report is submitted.
• Time to triage - Within 5 business days from the date the Report is submitted.
• Time to make the payment if the bug found is accepted - Within 10 business days from the date the Report is confirmed as a vulnerability by the SquareX Team, provided that the participants provide all necessary information and respond to any follow-up queries promptly.

Payment Terms

We appreciate your efforts, and we aim to process your rewards within 10 working days after the Report is submitted and accepted. As we will need to verify your identity before processing any payment, please provide your PayPal account details and a scanned copy of a valid government ID when asked. If you are unable to receive the payment via PayPal, you can opt to donate the bounty to a charitable cause of your choosing, provided we can pay them via PayPal as well.

Legal Terms and Conditions

• SquareX reserves the right to limit or refuse your eligibility to participate in the Bug Bounty Program, or amend, withhold, or cancel any Bug Bounty Program payment granted to you, for any reason in its sole discretion including but not limited to where your participation is prohibited by any applicable laws or if there is any violation of these Terms.
• SquareX hereby reserves the right to amend, suspend, or terminate the Bug Bounty Program at any time with or without prior notice or consent.
• Administration of the Bug Bounty Program is at the sole discretion of SquareX, subject to applicable laws. Any questions or disputes relating to the Bug Bounty Program or these Terms (including whether the reported vulnerability is eligible for a bounty and the severity level of the reported vulnerability) will be resolved by SquareX at its sole discretion and its decision will be final and binding with respect thereto.
• By participating in the Bug Bounty Program, you hereby agree that:
  • you are not breaching any applicable laws (including infringement of any third party intellectual property rights or any other rights); and
  • you shall keep confidential and not disclose to any third parties any vulnerabilities, data, and/or information accessed and/or obtained through or in connection with your participation in the Bug Bounty Program, except with prior written consent from SquareX.
• By participating in the Bug Bounty Program, you hereby grant to SquareX: (i) the right to use your name, country of residence, email address, and any other information you provide to SquareX for the purposes of administrating the Bug Bounty Program, and (ii) the right to use such information for publicity, promotional, marketing and advertising purposes relating to the Bug Bounty Program without further compensation.
• By participating in the Bug Bounty Program, you hereby agree to release and hold harmless SquareX, its affiliates, and their respective officers, directors, and employees from and against any claim or cause of action arising out of your participation in the Bug Bounty Program and/or any determination made about your eligibility in the Bug Bounty Program and/or any payment thereunder. You agree that SquareX, its affiliates, and their respective officers, directors, and employees are not liable for injuries, losses, or damages of any kind arising from your participation in the Bug Bounty Program and acceptance, possession, and use of the benefits or payments received under the Bug Bounty Program.

Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined in the scope of this program please submit via our Responsible Disclosure Program.