Articles in this section

Security Vulnerabilities & Bug Bounty

    Sketchfab will provide monetary rewards for responsible disclosure of security vulnerabilities. To receive a reward, the bug must not be already known to us and must be considered a legitimate threat to our business and/or users.

    Scope

    The following contexts are in scope for rewards:

    • Security flaws on the sketchfab.com top-level domain, except sketchfab.com/blogs/*
    • Security flaws in core technologies and libraries used in the sketchfab.com stack (e.g. nginx)
    • Security flaws on *.sketchfab.com subdomains hosted by us (e.g. labs.sketchfab.com, clients.sketchfab.com)
    • Security flaws in our mobile app

    The following contexts are out of scope. We will look at any such reports, but they are not eligible for rewards except in extreme cases:

    • Issues on *.sketchfab.com subdomains hosted by other providers (e.g. forum.sketchfab.com, help.sketchfab.com)
    • Issues related to WordPress (sketchfab.com/blogs/*)
    • Issues related to other third-party providers (e.g. Zendesk, Sendinblue, Discourse)
    • Bugs unrelated to security

    The following types of security reports will also not be rewarded:

    • Attacks with a prerequisite of physical or remote access to a victim's authenticated browser session
    • Attacks with a prerequisite of controlling a victim's email account, social media accounts, etc.
    • Rate limit bypass
    • Attacks related to vulnerabilities in deprecated TLS/SSL versions & ciphers
    • Mail server configuration, spoofing, SPF, DMARC, etc.
    • Session management weaknesses
    • Token management weaknesses
    • CORS misconfigurations
    • CSRF misconfigurations
    • Direct object reference containing no sensitive information
    • Version disclosures

    Reward Matrix

    The following table shows general guidelines for vulnerability types and potential rewards. Sketchfab may reduce or increase rewards as we see fit. Again, known issues will not be rewarded.

    Rewards are dispersed via PayPal, and a 4% will be added to the reward to cover PayPal fees.

      Impact Examples Potential Reward
    P1 - Critical Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote execution, financial theft, etc.
    • Remote Code Execution
    • Vertical Authentication Bypass
    • XML External Entities Injection with significant impact
    • SQL Injection with significant impact
    		 up to $1500
    P2 - High Vulnerabilities that affect the security of the platform including the processes it supports
    • Lateral authentication bypass
    • Stored XSS with significant impact
    • CSRF with significant impact
    • Direct object reference with significant impact
    • Internal SSRF
    		 up to $900
    P3 - Medium Vulnerabilities that affect multiple users and require little or no user interaction to trigger
    • Reflective XSS with impact
    • Direct object reference (containing sensitive data)
    		 up to $300
    P4 - Low Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM)
    • SSL misconfigurations with little impact
    • XSS with limited impact
    • URL redirect
    • CSRF with impact
    		 up to $100
    P5 - Acceptable Risk Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed acceptable business risk to the customer
    • Debug information
    • Use of CAPTCHAs
    • Code obfuscation
    • Mail configuration
    • CORS configurations
    • CSRF with limited impact
    • Version disclosure
    • Rate limiting, etc.
    		 $0

    Submitting Reports

    Please submit reports to this form.

    Avatar
    James
    • Updated
    Follow

    Related articles

    Comments

    0 comments

    Article is closed for comments.