Pronto Marketing is happy to work with security researchers, and takes security, collaboration, and transparency seriously. With this in mind, we have created a program for responsible disclosure of security issues related to our services. If you believe you have found a security vulnerability which could impact us, our clients, or our services, we encourage you to report it to us.
We strongly believe in responsible disclosure, and are committed to investigating and fixing legitimate reports as soon as we can. In return, we ask that you make a good faith effort to handle any privileged information you obtain with consideration, avoid privacy violations where possible, and prevent or minimise any loss of data or interruption to our services as part of your research.
Sensitive and Personal Information
If, during your testing and research, you are able to access privileged information due to a vulnerability you have found, you should terminate your testing immediately, prevent any additional testing, research, or scanning being taken regarding the data you have found or which would cause more data to be accessed, and report the issue to Pronto Marketing as soon as possible. You may not save, copy, store, transfer, disclose, use, or otherwise retain the data or personal information you have found. Failure to adhere to these requirements will disqualify any report from eligibility for any Bug Bounty Rewards.
If you are unsure whether or not a vulnerability is within scope, we recommend submitting it to us for review, and we can assess it based on the information you provide. Please note that the items above apply for all submissions.
- Our publicly-accessible website at https://www.prontomarketing.com
- The Pronto Dashboard at https://app.prontomarketing.com
Out Of Scope
- Our ticketing portal at https://support.prontomarketing.com - this is hosted by Zendesk. Please note, however, that interactions with the Pronto Dashboard as they relate to the ticketing portal are within scope
- Customers of Pronto Marketing, and the websites and services of Pronto Marketing customers
- Any vulnerability, bug, or security issue related to the compromise of a Pronto Marketing customer or their company or user account with Pronto Marketing
- Any compromise of accounts belonging to Pronto Marketing staff
- Security issues related to social engineering, including unauthorised access to user accounts obtained via social engineering
- Vulnerabilities already known to Pronto Marketing
- Suggestions regarding recommended configurations, best practices, or security policies
- Missing Secure or HttpOnly flags on cookies containing non-sensitive information
- Any Denial of Service (DoS) attacks, or activities which could reasonably lead to a denial of service, against Pronto Marketing, or Pronto Marketing services
- Output from automated scanning tools without sufficient proof-of-concept of a vulnerability
- Physical attacks, man-in-the-middle (MITM) attacks, or social engineering of Pronto Marketing employees, offices, data centres, vendors, partners, or service providers
- Vulnerabilities in services not directly controlled by Pronto Marketing
- Purely theoretical attacks or security issues which cannot be reasonably exploited
- Engaging in the distribution of any malicious software (malware) to Pronto Marketing by any means
- Sending large volumes of unsolicited messages in bulk (spam), or engaging in targeted attacks via e-mail
Bug Bounty Rewards
Any rewards provided as part of the Pronto Marketing Bug Bounty program are at the sole discretion of Pronto Marketing, and are subject to change or be cancelled without notice.
In order to be eligible for a reward under the program, your submission must meet the following criteria;
- You must be the first person to disclose a previously-unknown vulnerability
- Zero-day vulnerabilities less than 90 days from the patch release date are ineligible for rewards under the Bug Bounty program
- Vulnerabilities must not have been previously disclosed by you to third-parties, either in public or in private
- Only the form below must be used to submit reports - reports sent to our support e-mail addresses, provided via our live chat service or by any other means are ineligible for rewards
- The vulnerability submission form below must be completed accurately, in full, and with all of the relevant information available to you at the time of the report
- Current or former employees of Pronto Marketing and their families are ineligible from receiving any rewards under the Bug Bounty program
A general guideline of rewards can be found below (all rewards in USD);
Pronto Marketing reserves the right to categorise reports based on the information you provide as part of your report, as well as our own investigations. We offer no guarantee that any reports will receive the specific reward amounts stated above, and will provide rewards at our own discretion.
Bug Bounty Reporting
Please ensure you have read all of the information above, and complete the form below to submit an eligible report. Submission of the form indicates your agreement to the aforementioned terms.