The Prepr Vulnerability Disclosure Program (VDP) provides a clear process for security researchers and members of the public to responsibly report security vulnerabilities they discover in Prepr’s systems, applications, or services as outlined in the scope below.
By participating in this program, researchers agree to comply with this policy, our Privacy Policy, and all applicable laws.
Scope
The scope of the Prepr VDP includes:
- All *.prepr.io applications and customer workspaces
- https://prepr.io
- Prepr APIs and services operated by Prepr
The program covers security vulnerabilities discovered in Prepr’s systems and software. It does not include vulnerabilities in third-party services or software used by Prepr unless they directly result in a vulnerability affecting Prepr.
Researchers should only test against their own accounts, workspaces, and data, or test accounts and data created by themselves. Testing must not disrupt or compromise any Prepr customer data.
Prepr will not fund or reimburse any fees, subscription costs, or other expenses incurred while conducting security research.
Qualifying Vulnerabilities
We actively review all reported vulnerabilities. To be considered in scope, a report must describe a reproducible security vulnerability with demonstrable practical security impact. Reports consisting solely of best practice recommendations, theoretical attack scenarios, informational findings, or hardening suggestions without demonstrating an exploitable security impact are considered informational and are outside the scope of this program.
Excluded Scope
- Denial of Service (DoS) attacks
- Resource exhaustion attacks
- Rate limiting issues without demonstrated security impact
- Brute force attacks on login or password reset pages
- Recommendations regarding authentication hardening without demonstrated exploitability.
- Disclosure of internal IP addresses, software versions, or server banners
- Issues related to cross-domain policies without evidence of exploitability
- Username or email enumeration via login, pending invitations, forgot password, or registration error messages
- Cookie validation or expiration recommendations without demonstrated impact
- Weak TLS cipher recommendations or support for TLS versions prior to 1.3
- Open ports
- Overly permissive storage buckets without demonstrated impact
- Missing HTTP security headers without demonstrated impact
- Missing Content Security Policy (CSP) without a demonstrated exploit
- Missing Subresource Integrity (SRI) without demonstrated security impact.
- Concurrent sessions
- Compliance recommendations (OWASP, CIS, ASVS, etc.) without a demonstrated vulnerability.
- Login notifications for new sessions
- Missing email verification where account recovery mechanisms exist
- Authentication flows that intentionally rely on the security controls of trusted Single Sign-On providers
- Any form of social engineering or phishing targeting Prepr employees, customers, or partners
- Reports requiring unrealistic or excessive user interaction
- Vulnerability reports based solely on automated scanner output or general hardening recommendations
Rewards
Prepr does not currently operate a bug bounty program. We do not offer monetary rewards, swag, credits, or other compensation for vulnerability disclosures.
Reporting Bugs
If you wish to responsibly disclose a vulnerability to Prepr, we recommend using the OpenSSF Vulnerability Disclosure Report Template when preparing your report.
Please send your report to:
Your report should include:
- A clear description of the issue
- Steps to reproduce
- Affected URLs or endpoints
- The potential security impact
- A proof of concept where applicable
Response SLOs
We aim to acknowledge vulnerability reports within 3 business days.
Triage, mitigation, and resolution of reported issues depend on their complexity and severity. As such, we cannot guarantee specific timelines for investigation or resolution.
Legal and Privacy
By submitting a report, you agree to Prepr’s Privacy Policy regarding the processing of your personal data.
Your testing must comply with all applicable laws. Testing must only be performed against your own accounts, workspaces, and data, and must not disrupt, access, modify, or compromise any data or systems that do not belong to you.