Security: Reporting a Vulnerability

At Raisely, we take the protection of our customers’ data seriously.

The Raisely engineering team acknowledges the valuable role that independent security researchers play in Internet security, and we’re especially grateful that you might use your valuable time to help secure a platform that operates for the benefit of non-profits. We encourage responsible disclosure of any vulnerabilities that may be found in our site or applications. Raisely is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us. 

Please review these terms before you test and/or report a vulnerability. Raisely pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.

Testing for security vulnerabilities

Always use test or demo accounts when testing our online services.

The following systems are in scope for vulnerability testing:

api.raisely.com
admin.raisely.com
support.raisely.com
developers.raisely.com
communications.raisely.com

You may also attempt to discover vulnerabilities on any website that you have created and control on *.raiselysite.com. You must not attempt to discover vulnerabilities in websites on *.raiselysite.com or *.raisely.com subdomains that belong to other customers or that are otherwise not under your control.

Prohibited security research activities

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

  • Performing actions that may negatively affect Raisely or its users (e.g. spam, brute force, denial of service…)
  • Testing third party API’s in use on our platform such as Stripe, Paypal, Email, SMS, Authentication (if you believe we have misconfigured those services then please do let us know, but testing for vulnerabilities that are wholly within those third party systems is out of scope)
  • Accessing, or attempting to access, data or information that does not belong to you
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
  • Conducting any kind of physical or electronic attack on Raisely personnel, property or data centers
  • Social engineering any Raisely service desk, employee or contractor
  • Conduct vulnerability testing of participating services using anything other than test accounts that you have signed up for yourself
  • Violating any laws or breaching any agreements in order to discover vulnerabilities

Compensation and Bug Bounties

We will not automatically offer compensation for vulnerability reports. We may, at our sole discretion, offer compensation to researchers that report vulnerabilities that we deem to be high or critical in severity.

To be considered high in severity a report must, at a minimum, demonstrate a reproducible exploit that produces

  • privilege escalation, 
  • remote code execution, or
  • failure of multi-tenancy controls,

or similar level of severity.

Exclusions

The following types of reports will not be considered for compensation.

Custom Code in Websites: We permit a high degree of customisation of customer websites, including customising HTML and Javascript on the page or within specific elements. This is a feature, not a bug.

User Enumeration: Reports outlining user enumeration are not within scope.

Presence of banner or version information: Version information does not, by itself, expose the service to attacks - so we do not consider this to be a bug. That said, if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know.

Low Level or Informational: In general reports of a low level or informational vulnerability with the suggestion that a high severity exploit may be possible in combination with other hypothetical issues will not be considered for compensation.

Reporting a potential security vulnerability

We ask that you do not share or publicise an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Raisely engineering team will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report
  • Provide an estimated time frame for addressing the vulnerability report
  • Notify you when the vulnerability has been fixed

We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Raisely.

To report a vulnerability:

  • Privately share details of the suspected vulnerability with Raisely by sending an email to security@raisely.com
  • Provide full details of the suspected vulnerability so the Raisely security team may validate and reproduce the issue
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Our Support Team Contact Our Support Team