Sketchfab will provide monetary rewards for responsible disclosure of security vulnerabilities. To receive a reward, the bug must not be already known to us and must be considered a legitimate threat to our business and/or users.
The following contexts are in scope for rewards:
- Security flaws on the sketchfab.com top-level domain, except sketchfab.com/blogs/*
- Security flaws in core technologies and libraries used in the sketchfab.com stack (e.g. nginx)
- Security flaws on *.sketchfab.com subdomains hosted by us (e.g. labs.sketchfab.com, clients.sketchfab.com)
- Security flaws in our mobile app
The following contexts are out of scope. We will look at any such reports, but they are not eligible for rewards except in extreme cases:
- Issues on *.sketchfab.com subdomains hosted by other providers (e.g. forum.sketchfab.com, help.sketchfab.com)
- Issues related to WordPress (sketchfab.com/blogs/*)
- Issues related to other third-party providers (e.g. Zendesk, Sendinblue, Discourse)
- Bugs unrelated to security
The following types of security reports will also not be rewarded:
- Attacks with a prerequisite of physical or remote access to a victim's authenticated browser session
- Attacks with a prerequisite of controlling a victim's email account, social media accounts, etc.
- Rate limit bypass
- Attacks related to vulnerabilities in deprecated TLS/SSL versions & ciphers
- Mail server configuration, spoofing, SPF, DMARC, etc.
- Session management weaknesses
- Token management weaknesses
- CORS misconfigurations
- CSRF misconfigurations
- Direct object reference containing no sensitive information
- Version disclosures
The following table shows general guidelines for vulnerability types and potential rewards. Sketchfab may reduce or increase rewards as we see fit. Again, known issues will not be rewarded.
Rewards are dispersed via PayPal, and a 4% will be added to the reward to cover PayPal fees.
|P1 - Critical||Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote execution, financial theft, etc.||
||up to $1500|
|P2 - High||Vulnerabilities that affect the security of the platform including the processes it supports||
||up to $900|
|P3 - Medium||Vulnerabilities that affect multiple users and require little or no user interaction to trigger||
||up to $300|
|P4 - Low||Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM)||
||up to $100|
|P5 - Acceptable Risk||Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed acceptable business risk to the customer||
Please submit reports to this form.