Vulnerability Disclosure Policy

Introduction

Bubble Group, Inc. (“Bubble” “we” or “us”) welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

Scope

This policy applies to any digital assets owned, operated, or maintained by Bubble, including:

  • Public-facing websites

  • Bubble hosting platform

  • Bubble-developed software

The types of vulnerabilities that are in scope are those that could impact all or a substantial number of applications hosted by Bubble.

Out of Scope

All Bubble assets that are not explicitly listed within the scope of this policy should be considered out of scope. Examples of out-of-scope assets include:

  • 3rd-party plugins not developed by Bubble

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor, application owner, or applicable authority.

Prohibited Activities

The following activities are always prohibited and out of scope of this policy:

  • Social engineering (phishing, vishing, etc.)

  • Physical attacks

  • Denial of service (DoS/DDos)

  • Use of automated scanners/tools, or other methods that may impact system availability

  • Attacks that are noisy to users or admins (e.g., spamming, notifications, or forms)

  • Knowingly posting, transmitting, uploading, linking to, or sending malware

If you discover specific Bubble applications that are being used to engage in potentially disruptive, malicious or abusive activities, please submit an abuse report.

Our Commitments

  • Respond to your report promptly, and work with you to understand and validate your report;

  • Strive to keep you informed about the progress of a vulnerability as it is processed;

  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints and internal support SLAs; and

  • Extend Safe Harbor for vulnerability research that is related to this policy.

Official Channels

Please use security@bubble.io to report security issues, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

Relevant information to provide includes:

  • Instructions and resources to validate the vulnerability:

    • Specific assets in scope (e.g., URLs to specific in-scope systems)

    • Pre-conditions or assumptions made in order to exploit the vulnerability (e.g., an authenticated user, software version, system configuration)

    • Instructions for validating the vulnerability, identifying any tools and methods used

    • Source code, scripts, and relevant technical configurations

  • Proof of concept:

    • Video recording showing how the vulnerability was exploited and its resulting impact. When you submit a report via our official channel, you will be provided with a tool to provide a screen recording with audio. By using this feature, you consent to such recording.

    • Output files and screen shots

We expect that the relevant information will be uploaded via the specified Official Channels and not hosted on external sites. If there are valid technical reasons that prevent the uploading of relevant information, we may agree to other methods.

Our Expectations

  • Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;

  • Report any vulnerability you’ve discovered promptly;

  • System activities are solely for purposes of good-faith testing and investigation of security flaws or vulnerabilities;

  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;

  • Use only the Official Channels to discuss vulnerability information with us;

  • Provide us a reasonable amount of time to resolve the issue;

  • Keep the details of any discovered vulnerabilities confidential until we have confirmed that the issue has been resolved and we have agreed to public disclosure;

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;

  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;

  • Any user data encountered during testing must be kept strictly confidential and never publicly disclosed;

  • You should only interact with test accounts you own or with explicit permission from the account holder; and

  • Do not engage in extortion.

Safe Harbor

We consider activities conducted consistent with this policy to constitute “authorized” access under applicable law. While we cannot bind law enforcement or third parties, we commit to advocating on your behalf if legal issues arise from good faith security research conducted under this policy.

Please submit reports through our Official Channels before engaging in conduct that may be inconsistent with or unaddressed by this policy. If in doubt, contact us first.

Rewards

We do not currently offer a formal bug bounty or financial rewards for vulnerability disclosure.

However, we offer recognition on our Security Acknowledgement Page for significant findings. “Significant findings” include those that we have verified, have not already been reported to us, result in a security improvement to our product or platform, and were submitted according to this Vulnerability Disclosure Policy, as determined by us in our sole discretion.

Last updated

Was this helpful?