Legal policy

Bug Bounty Disclosures

Read Smackdab security disclosure notes and program updates related to vulnerability reporting, review, and remediation.

Last updated: December 10, 2025 Official PDF 5 sections

Download official policy ↓

← All policies

Official policy available. This page is a web-formatted version for readability. If anything conflicts, the official policy controls. Download PDF

Bug Bounty Program - Public Disclosures

Last Updated: December 10, 2024 The following is a record of vulnerability reports processed through our Bug Bounty Program. We publish these summaries to provide transparency and help researchers understand what types of findings qualify for rewards. ⚠️ Technical details are intentionally vague to protect our systems and users. Full reproduction details are not disclosed.

🏆 Hall of Fame

We recognize the following researchers for their contributions to Smackdab security:

Researcher

Recognition

Researcher C

Critical and High severity findings on core application

Researcher D

High severity finding on core application

Researcher B

Medium and Low severity findings on production infrastructure

Researcher A

Low severity findings on marketing website

📋 Processed Reports

Report # Date

Researcher

📝 Report Summaries

#010 - IDOR (Critical)

Identified IDOR allowing an attacker to delete any Policy Group across organizations by manipulating a numeric ID in the delete API request. Remediated by implementing proper authorization checks.

#008 - Authentication Bypass (Critical)

Identified 2FA bypass via response manipulation. Remediated as part of authentication system hardening.

#007 - Stored XSS (High)

Identified stored cross-site scripting vulnerability in snippet management feature. Demonstrated session cookie access. Remediated.

#009 - Email Change Logic Flaw (High)

Identified that a user’s email address could be changed without re-entering the current password, enabling potential account takeover via session hijacking. Remediated by adding re-authentication check.

#005 - Information Disclosure (Medium)

Identified unauthenticated Prometheus metrics endpoints exposing internal infrastructure details. No credentials or customer data exposed. Remediated.

#012 - Open Redirect / XSS (Medium)

Identified vulnerability in internal Grafana instances (CVE-2025-4123) that could lead to arbitrary JavaScript execution and session hijacking for targeted DevOps team members. Remediated by upgrading.

#001 & #002 - XML-RPC & CORS (Low)

Reported XML-RPC endpoint and permissive CORS configuration on marketing site. Limited impact due to no customer data on affected system. Combined bounty awarded.

#011 - Exposed Admin Interface (Low)

Reported phpMyAdmin setup wizard was publicly exposed. Classified as Low severity due to affecting the marketing website. Remediated.

🚫 Declined Report Categories

For transparency, the following report types have been submitted and declined under our program terms:

All-in-One Platform

Human-Centric AI Integration

Flexible Customization

Booking & Schedule

Unlimited Email Marketing

PowerPro Suite