Create or update your meeting notes, directly from your activity tracking Reports At the same time as you track your...

BeesApps is committed to keeping their SaaS solution Beesy secure and awards responsible disclosed vulnerabilities according to these rules.
At BeesApps we take security very seriously. If you believe that you have found a security vulnerability on Beesy.com, we encourage you to let us know straight away.
We believe that no technology is perfect and that working with skilled security researchers is crucial to identify weaknesses in our technology. If you believe you’ve found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Test vulnerabilities only against accounts that you own or accounts that you have permission from the account holder to test against.
Never use a finding to compromise/ex-filtrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.
If sensitive information — such as personal information, credentials, etc. — is accessed as part of a vulnerability, it must not be saved, stored, transferred, or otherwise accessed after initial discovery. All sensitive information must be returned to BeesApps and any copies of such information must not be retained.
Any type of denial of service (DDoS) attacks is strictly prohibited, as well as any interference with network equipment and BeesApps infrastructure.
Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.
If you find the same vulnerability several times, please create only one report and eventually use comments. You’ll be rewarded accordingly to your findings.
Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.
investigate all legitimate reports and do our best to quickly fix the problem.
We reward vulnerabilities submissions for the following system
Please submit your report via email to [email protected]
Your submission will be reviewed and validated by a member of the Product Security Team.
When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to other users. Depending upon the severity of your issue, it may take us time to respond to you.
Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For instance:
X-Bug-Bounty:Hacker-[accountid]
X-Bug-Bounty:ID-[sha256-flag]
When testing for a bug, please also keep in mind:
cat /proc/1/maps
touch /root/<accountid>
id
, hostname
, pwd
Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools — these tools include payloads that could trigger state changes or damage production systems and/or data.
Before causing damage or potential damage: Stop, report what you’ve found and request additional testing permission
http://example.com
if possible.
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, brute force authentication, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the issues that typically do not earn a monetary reward:
We are happy to thank everyone who submits valid reports which help us improve the security of BeesApps . However, only those that meet the following eligibility requirements may receive a monetary reward:
Our rewards are based on severity per CVSS v3.1 Ratings. In the event of duplicate reports, we award a bounty to the first person to submit an issue. For a critical severity you additionally need to demonstrate that your attack could compromise the confidentiality or integrity of all Beesy users without any user interaction needed
Critical
to be discuss, case by case
High
100$
Medium
50$
Low
25$
Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
Time to first response: 2 business days or less.
Time to triage: 3 business days or less.
We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 10 days of being triaged. Rewards will be paid when patch is applied, so you should expect a payment for confirmed vulnerabilities within two weeks.
No vulnerability disclosure, including partial, is allowed before the patch is applied and we agree the publication.
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct. We will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope of this program.
If legal action is initiated by a third party against you and you have complied with this security policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
It is also important to note, we will not take legal action against you simply for providing us with a proof of concept of the security vulnerability. Please follow the guidelines listed in the Proof of concepts section above to ensure that your proof of concept is detailed enough to demonstrate the issue and still follows the guideline listed above.
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.