Objective

  • At Chargebee, we take data integrity and security very seriously. Due to the nature of the product and service we provide, we are committed to working with individuals to stay updated on the latest security techniques and fix any security weakness in our application or infrastructure reported to us responsibly by external parties.

Eligibility Criteria

To be eligible for a reward,

  • Be the first to report the issue to us.

  • Subject to the Sections below, the submitted vulnerability must have a demonstrable impact in Chargebee's context. We use CVSS v3 as the vulnerability scoring framework.

  • Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.

  • The person submitting the request must not be an employee, former employee or an immediate relative of an employee or former employee of Chargebee.

  • You must comply with the Program terms and conditions.

Scope

The following are in scope for the purposes of this policy and subject to the terms of this policy, are eligible for a reward:

  • https://app.chargebee.com

  • https://yoursite.chargebee.com

  • https://yoursite.revenuestory.chargebee.com

  • https://yoursite.integrations.chargebee.com

  • https://yoursite.ui.chargebee.com

  • https://www.chargebee.com

  • https://yoursite.chargebeeportal.com

Out of Scope

  • Anything not defined in the "Scope" section above.

  • Reports from automated tools or scans

Non - Acceptable Category

There are some submissions that we can't accept for rewards. These are typically issues that we already are aware of, or issues that we think demonstrate business value that outweighs the low-level risk, or low-risk issues that are unlikely to result in a code change. Following vulnerability, classes are ineligible for rewards

  • Denial of Service

  • DMARC/ SPF

  • Self-XSS

  • Malicious File Upload

  • Social engineering

  • Email Spamming / Spoofing

  • Content Spoofing

  • Clickjacking and issues are only exploitable through clickjacking that has minimal impact.

  • CSRF on forms that are available to anonymous users(e.g. the contact form)

  • CSRF with negligible security impact (e.g. adding to favourites)

  • Software version number disclosure

  • Username or Site Name enumeration

  • Unvalidated Open Redirects or Tab Nabbing

  • HTML injection

  • Username or email address enumeration

  • Phishing attack using RTLO, Unicode/Punycode

  • Any security weakness or missing best practice without a demonstrable security impact

  • Descriptive error messages.

  • Information disclosure with minimal security impact (e.g. stack traces, path disclosure, directory listings, logs, robots.txt, etc)

  • Clickjacking and issues are only exploitable through clickjacking that has minimal impact.

  • Lack of Secure and HTTPOnly cookie flags.

  • Weak or missing captcha/captcha bypass.

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack

  • SSL Forward secrecy not enabled

  • SSL Insecure cypher suites.

  • Missing HTTP security headers (including Anti-MIME-Sniffing header X-Content-Type-Options) that do not lead to direct exploitation.

  • XSS was only possible by an administrator e.g. administrators can modify HTML templates, that is not an example of an XSS vulnerability.

  • Self-XSS that has no security impact e.g. injecting HTML into your own RTE editor

  • Reports of third-party libraries without an actual proof-of-concept. e.g. if you are aware of a vulnerable library, then you need to submit a proof-of-concept showing that our use of the library is vulnerable.

Chargebee would like to thank the following people
for contributions to make us secure 😊

2022
  • Aniket Kudale
2021
  • Subramanian
  • Sagar Yadav
  • Gaurav popalghat
  • Numan Rajkotiya
  • Parkerzanta
  • Hasan Khan

By submitting a security vulnerability to Chargebee, you acknowledge that you have read and agreed to the Terms and Conditions provided below. You agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Chargebee's prior written approval.

1.1 You shall:

  • Comply with all applicable laws, regulations and rules, including export compliance laws and ensure you have all necessary rights relating to your participation and actions at all times;
  • Ensure you have all permissions, consents and rights necessary to allow Chargebee to use your findings for Chargebee's business purposes without any restrictions or liability and grant to Chargebee a perpetual, irrevocable, transferable, worldwide and royalty-free license to use, copy, modify, adapt, disclose, transfer develop or otherwise exploit (including commercially) any of your findings;
  • Waive all claims against Chargebee or any third party with respect to your findings;
  • Not exploit any vulnerabilities, including by disclosing vulnerabilities to any third parties or publicly, without the prior written consent of Chargebee;
  • Not leverage any vulnerabilities against Chargebee or any third party in any manner, including to make any threats or ransom requests;
  • Not access or use any Chargebee customer account or information;
  • Use only a Chargebee account specifically created for this purpose if a Chargebee account is required to detect or test any vulnerability, which account shall be subject to these terms and conditions and the use restrictions in Chargebee's online terms of service;
  • Take all steps to ensure that the testing interfere with or interrupt a Chargebee customer's access to and use of Chargebee product or otherwise adversely affecting Chargebee product or its business, and immediately notify Chargebee in case you suspect any of the foregoing;
  • Not modify, copy, download, delete, compromise, adapt, tamper or otherwise process or misuse any data of Chargebee customer or any other non-public information, or engage in any act/omission that causes harm, liability or disrepute to Chargebee, its customers or partners, including incurring the loss of funds for Chargebee customer;
  • Limit your actions to those strictly necessary to detect and test vulnerabilities in Chargebee products;

1.2 Chargebee reserves the right to determine what constitutes a valid vulnerability submission that is entitled to a bounty. A valid vulnerability submission shall be rewarded with such amount as Chargebee deems appropriate. You shall be responsible for any taxes applicable to the bounty payment, including for payment of the same to the appropriate tax authorities unless otherwise required under applicable law.

1.3 Chargebee reserves the right to modify this policy and the terms and conditions herein at any time without notice, including discontinuation of the policy at any time. Any dispute relating to this policy shall be resolved amicably between the Parties. Chargebee's decision shall be final with respect to any interpretation of the policy.