If you believe that you have discovered a security or privacy vulnerability in our product, please report it to us.

Reports should be emailed to us at [email protected].

Reports should include specific specific product and software version(s) that you believe are affected; a technical description of the behavior that you observed and the behavior that you expected; the steps required to reproduce the issue; and a proof of concept or exploit.

Bug Bounties

Floor does not operate a formal bug bounty program at this time, however based on the severity and impact of reported vulnerabilities, and the quality of the submission, bounties may be rewared at our sole discretion. Submissions must meet the following criteria to be eligible for bounty consideration

Eligibility

The goal of our security program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers.

• Identify a vulnerability in our product that was not previously reported to, or otherwise known by, Floor.
• Such vulnerability must be Critical or Important severity and reproducible on the latest, fully patched version of the product or service
• Include clear, concise, and reproducible steps, either in writing or in video format, in order to provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.

Out Of Scope

Floor is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty consideration. Here are some of the common low-severity or out of scope issues that typically do not qualify for bounty consideration:

• Publicly-disclosed vulnerabilities which have already been reported to Floor or are already known to the wider security community
• Out of scope vulnerability types, including:
  • Vulnerabilities requiring physical access to hardware components
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Email configuration issues
  • Cookie replay vulnerabilities
  • Sub-Domain Takeovers
  • Denial of Service issues
  • Low impact CSRF bugs (such as logoff)
  • Server-side information disclosure such as IPs, server names and most stack traces
• Vulnerabilities based on user configuration or action, for example:
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities in user-created content or applications.
  • Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MITM) attacks
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities based on third parties, for example:
  • Vulnerabilities in third party software provided used for blockchain indexing
  • Vulnerabilities in platform technologies that are not unique to the online services in question
• Vulnerabilities that only affect unsupported browsers, devices, apps and plugins. This includes older versions of our mobile apps.
• Submissions that comprise entirely of outputs from automated scanners and tools. These produce many results for further investigation but can also yield false positives. Reports from automated tools must include additional analysis to demonstrate the exploitability of the vulnerability to be eligible.
• Documentation, community, customer support sites are not in scope unless otherwise listed.
• Vulnerabilities in versions of our mobile applications not distributed by the Google Play Store and the App Store
• In-Scope Domains:
  • rally.xyz
  • social.rally.xyz