Coordinated Disclosure Policy

Material believes in cooperating with and rewarding skilled security researchers that assist in identifying weaknesses or vulnerabilities in the Material application or infrastructure.

Material operates a private bug bounty program hosted on the HackerOne platform. Researchers who notify us about an identified security vulnerability in Material Security’s application or infrastructure will promptly send an invitation to our bug bounty program, at which point they will be able to share details regarding the vulnerability.

We are unable to issue rewards or payments for reported vulnerabilities outside of the HackerOne platform. To be eligible for a reward, researchers must submit their finding(s) on the HackerOne platform.

Last update on November 14, 2024
Table of Contents
Text Link

Disclosure Policy

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at disclosure@material.security. We will acknowledge your email within five business days and provide an invitation to our private bug bounty program.

  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Material service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Out of Scope Vulnerabilities

Website Security

  1. Clickjacking on pages with no sensitive actions
  2. Tabnabbing
  3. Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  4. Previously known vulnerable libraries without a working Proof of Concept.
  5. Content spoofing and text injection issues without demonstrating a viable attack vector
  6. Rate-limiting or brute-forcing issues on non-authentication endpoints
  7. Open redirects - unless an additional security impact can be demonstrated
  8. HTTP request smuggling - unless a specific exploit can be demonstrated (e.g., XSS, open redirect, bypassing authentication, etc.)

Misconfigurations & Best Practices

  1. Missing best practices in SSL/TLS configuration
  2. Missing best practices in Content Security Policy.
  3. Missing HttpOnly or Secure flags on cookies
  4. Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  5. Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Physical Security

  1. Attacks requiring MITM or physical access to a user's device.

Misc Security

  1. Any activity that could lead to the disruption of our service (DoS).
  2. Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
  3. Issues that require unlikely user interaction

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://www.material.security/disclosure.

Contact

Material is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at disclosure@material.security.

Disciplinary Action

Employees who violate this policy may face disciplinary consequences in proportion to their violation. Material Security management will determine how serious an employee’s offense is and take the appropriate action.

Responsibility

It is the Security team’s responsibility to ensure this policy is enforced.

Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Allow all
Decline all