Ably Vulnerability Disclosure Policy

Maintaining the security, privacy, and integrity of our products is a priority at Ably. Therefore, Ably appreciates the work of researchers in order to improve our security and/or privacy posture. We are committed to creating a safe and transparent environment to report vulnerabilities.

If you believe you have found a security or privacy vulnerability that could impact Ably or our users, we encourage you to report this right away. We will investigate all legitimate reports and fix the problem as soon as we can. We ask that you follow this Vulnerability Disclosure Policy, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.

The purpose of this page is to provide you with all the information you need if you have discovered a potential vulnerability in any of our services.

We really appreciate the work that our researchers do, however when creating an account to test against our systems we would really appreciate it when you register if you could put bugbountyably within the company and use case fields, this allows us to separate testing accounts from actual customer accounts.

This policy document applies to reports submitted on or after May 1, 2021. We reserve the right to cancel this program or modify this policy at any time.

Scope

The following services and endpoints are within scope of this policy:

  1. the Ably website at ably.com
  2. ancillary websites at *.ably.com operated by Ably
  3. the production service endpoints at realtime.ably.io and rest.ably.io
  4. functionally equivalent service endpoints at

    • *-realtime.ably.io
    • *-rest.ably.io
    • *.ably-realtime.com
    • Ably service endpoints served from customer domains via CNAME

All other domains and services are out of scope. In particular, Ably subdomains that are served by third parties such as support.ably.com are out of scope, but those third parties might themselves have applicable vulnerability disclosure policies.

Reporting Guidelines

Submitting clear, detailed reports is highly encouraged. Each report should explain one vulnerability in detail, identify its impact, and most importantly include steps or a "proof of concept" instructions to reproduce the issue. Include attachments such as screenshots or proof of concept code as necessary.

Very low-quality reports, such as those which only contain automated output, will be rejected.

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. Not only will this help get security issues resolved in a timely fashion; it also improves your chances of being the one granted any reward. The first responsible disclosure of any individual issue will be eligible for a reward.

We ask that any details of a reported vulnerability remain confidential to best protect our users until the vulnerability is verified, fixed and retested. Please provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of service. Only interact with accounts you own or with explicit permission of the account holder. If in the course of your research you come into possession of personal data about Ably customers or employees we ask that you ensure this is handled carefully and deleted as soon as you have made the disclosure.

Disclose the vulnerability report directly and exclusively to us. All submissions should be made via email to [email protected].

Assessing Severity and Rewards

For valid reports that are in scope, Ably will determine appropriate rewards. Ably uses the CVSS score as a starting point in assessing severity and the reward to be paid. The following rewards are based on Ably's severity assessment.

  1. Low: $150
  2. Medium: $500
  3. High: $1500
  4. Critical: $5000

We may adjust the severity and reward at our discretion based on other factors including business impact, clarity and simplicity of the report, and similarity to other issues. This is entirely at our discretion.

Granted rewards can be paid out to charity instead of the researcher by request. Reward amounts are set and paid in USD.

Ably does not charge any fees for paying rewards, but when a reward is paid a fee may be charged by intermediary banks and/or the receiving bank. Such fees are outside of our control and we cannot be responsible for them.

We may choose to withhold a reward we would otherwise have granted if we feel the researcher has recklessly exposed our users to unnecessary and unacceptable risk or harm.

Exclusions

None of the research you have done when reporting a vulnerability should involve unlawful or destructive methods. Our Terms of Service and relevant computer crime laws apply. For example, we do not condone research targeting us or our users with:

  1. Malware, viruses or similar harmful software
  2. Unsolicited messages, such as spam or phishing
  3. Physical entrance to any of our offices or facilities
  4. Interfering with other users of the service

Any of the activities above will result in disqualification from the program permanently.

Denial of Service and Brute Force

Targeted brute force attacks are NOT permitted to discover incorrect or missing rate limits such as checking the rate limit on a password input.

A missing rate limit does not always signify a security issue.

Vulnerability reports that do not qualify

  1. Reports regarding username enumeration
  2. Bugs requiring exceedingly unlikely user interaction
  3. Reports of software usage disclosure or software version disclosure
  4. Information disclosure about internal systems that does not represent a specific security vulnerability of confidentiality, integrity or availability
  5. Reporting vulnerabilities that are deemed as accepted risks
  6. Bugs that don’t affect the latest version of modern browsers, or browser extensions
  7. Attacks requiring MITM or physical access to a user's device
  8. Previously known vulnerable libraries without a working proof of concept (PoC)
  9. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  10. Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
  11. Disclosure of known public files or directories (eg robots.txt)
  12. Banner disclosure on common/public services without a PoC
  13. Security header configurations or missing headers
  14. Lack of Secure/HTTPOnly flags on non-sensitive cookies
  15. Abstract possibility of phishing or social engineering attacks, including open redirects
  16. Reports relating to TLS configuration or known protocol, ciphersuite or certificate weaknesses

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with our policy.

If you have any further questions regarding our approach to coordinated disclosure, please contact us at [email protected].