Vulnerability Disclosure Program

Salesloft’s Vulnerability Disclosure Program

“Security first”, is a mantra at Salesloft. We consider the trust of our customers instrumental to our success as a service provider. In the interest of protecting our customer data from cyber threats, including and especially zero-day attacks, we welcome all researchers acting in good faith to take advantage of our Vulnerability Disclosure Program.

Should you identify a vulnerability on our platform (while staying within the bounds of our code of conduct), we will focus our efforts on remediating the vulnerability as opposed to directing it towards legal retribution. Upon validation and your permission, we will publicly recognize you and your work.

Safe Harbor

Salesloft values the work performed by white-hat hackers and is committed to protecting the interests of the security research community. We will make every effort to support your work and forego legal action, so long as you make every effort to align with our code of conduct. Please review it carefully before testing, and send questions to vdp@salesloft.com if any areas remain unclear.

What’s in Scope?

Domains in scope:

  • App.salesloft.com
  • Accounts.salesloft.com

Domains out of scope:

  • Salesloft.com
  • Any website operated by a partner or any other third party

Vulnerability types in scope:

  • Software bugs
  • Misconfigured systems that allow unintended access
  • Cross-site Scripting
  • Open redirect
  • Cross-site request forgery
  • Authentication bypass
  • Server-side code execution

Vulnerability types out of scope:

  • Any testing except as expressly permitted herein
  • Denial of Service (DoS) – Either through network traffic, resources exhaustion or others
  • The use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
  • Social Engineering (including phishing) or physical security attacks.

User-Authenticated Testing
Any user authenticated testing must be done so with either the express written permission of the Salesloft customer or within your own account with the consent of your organization. Notice of testing must be given to Salesloft no less than 24 hours prior to testing. Salesloft will not provide testing accounts. Salesloft retains the right to suspend any access in the event Salesloft reasonably believes your actions to create a security risk to the platform, application, or its or its customer’s data.

Code of Conduct – What can and can’t I do?

Do’s

  • Respect Salesloft customers’ privacy. Never publicize personally identifiable data.
  • Make a good faith effort not to access –and every effort not to destroy– a user’s data  (Remember, responsible disclosure means proving a vulnerability exists – not exploiting it).
  • Be patient with our team. We will acknowledge receipt within 36 hours of submission, but may require clarification following the initial report. You will get status updates of our investigation once a week until resolution.
  • Report vulnerabilities promptly after identification.
  • Stay within the rules set forth by our Security Team. If any scope is unclear, request clarification/permission before testing (via email to vdp@salesloft.com).

Don’ts

  • Violate legal or regulatory restrictions for your research.
  • Copy, transfer, store, or otherwise abuse sensitive information potentially exposed during your research.
  • Access  or exploit data of others, including but not limited to  our Users or Customers. Any attempts at access should be the minimum necessary to discover the applicable potential vulnerability
  • Publicly disclose vulnerabilities before our team has had time to acknowledge and subsequently remediate your findings.
  • Use your research as leverage to extort or otherwise cause harm to Salesloft or Salesloft customers.

Ok, so how do I report a vulnerability?

Please submit findings to vdp@salesloft.com in the following format:

Subject: VDP –
Body:
Your_name (or pseudonym):
Vulnerability_Name:
Domain_affected:
CVSS_Score (if applicable):
Impact to confidentiality? Y/N
Impact to integrity? Y/N
Impact to availability? Y/N

Steps to replicate:

  1. Step one
  2. Step two
  3. Step 3

Proof of concept screenshot – scrubbed of any PII or sensitive information, if applicable.

What should I expect after I submit a vulnerability?

Salesloft is committed to timely response and communication during an investigation. We will use reasonable efforts to acknowledge your submission within 36 hours and provide progress updates once every five working days. Following submission, Salesloft will work to validate, triage, and assess the severity of the vulnerability. Additional information may be required; you agree to provide reasonable assistance as requested. Once our analysis is complete, we will provide the results as well as any plans for remediation and a timeline for acceptable public disclosure, if applicable.

A few things to note about this process:

  1. Salesloft classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS version 3). The resulting score helps quantify the severity of the issue and to prioritize our response.
  2. The validity of a vulnerability will be judged at the sole discretion of Salesloft.
  3. We integrate our solution with several sub-processors. If the vulnerability is found to affect a third party product, we will notify the provider of the affected software. Salesloft will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.  You will not contact such third party provider without our express consent.
  4. We reserve the right to accept the risk of vulnerability if:
    • The vulnerability cannot be validated
    • The vulnerability is considered to be of negligible risk, at our sole discretion.
    • The remediation plan creates more risk than the vulnerability itself

Vulnerabilities that meet this criterion will be communicated as such to the researcher.

Public Notification

If a submission was deemed valid and remediation is necessary, we will ask the researcher to validate our remediation efforts with a retest. Once both Salesloft and the researcher agree the vulnerability has been remediated the researcher is welcome to report their work publicly (sans sharing any PII or sensitive information). Salesloft will hold Assignment of Rights such that Salesloft can do whatever it wants with the information, including the development of intellectual property.

With your permission, we would like to acknowledge your work, too. Our Security Hall of Fame page is meant to celebrate the efforts of those individuals keeping us safe and making us better. Thank you for your support!