We take security at Assembled very seriously and are committed to investigating all reported security issues or vulnerabilities. If you believe you’ve discovered an issue with Assembled's security, please get in touch at email@example.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Assembled. In filing any report, please include a sufficiently detailed and understandable description such that we are able to reproduce the issue.
Although we do not currently operate a bug bounty or reward program, we do understand and appreciate the hard work that goes into security research. As such, we may reward the confidential disclosure of verifiable issues at our discretion.
Note that vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts. We do not reward denial of service, spam, or social engineering vulnerabilities.
We do not accept reports of the following categories:
- Ability to perform an action unavailable via user interface without identified security risks
- Ability to send emails with no control over content without any limits
- Any activity that could lead to the disruption of our service (DoS)
- Attacks that require MiTM or physical access to a user's device
- Content spoofing and text injection
- CSV injection without demonstrating a vulnerability
- Disclosure of non-sensitive information, like product version, file path on a server, stack trace, etc.
- Disclosure of private IP addresses or domains pointing to private IP addresses
- Leakage of sensitive tokens (e.g. password reset token) to trusted third parties on secure connection (HTTPS)
- Missing best practices in SSL/TLS configuration
- Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT)
- Missing best practices in HTTP headers without demonstrating a vulnerability
- Missing notifications about important actions
- Missing protection mechanism or best practices without demonstration of real security impact for user or system
- Previously known vulnerable libraries without a working proof of concept
- Unauthenticated/login/logout CSRF
- User enumeration
- Vectors that require browser versions released 6 or more months before report submission