Bug Bounty Program

At Docfield.com, we are committed to ensuring the security and privacy of our users. We invite security researchers and ethical hackers to help us identify vulnerabilities in our platform through our Bug Bounty Program. We offer monetary rewards and optional public recognition for responsibly disclosed vulnerabilities.

Program Scope

This program covers vulnerabilities in the following Docfield.com assets:

  • Website: https://www.docfield.com
  • Web Application: All functionality accessible via authenticated and unauthenticated user accounts
  • APIs: Publicly accessible APIs associated with Docfield.com
  • Subdomains: *.docfield.com (e.g., app.docfield.com, api.docfield.com)

Out of Scope

  • Third-party services or applications not directly controlled by Docfield.com
  • Social engineering, phishing, or physical attacks
  • Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks
  • Issues without clear security impact (e.g., clickjacking on static pages, missing headers without exploitability)
  • Self-XSS or vulnerabilities requiring unlikely user interaction
  • Rate-limiting or brute-force issues without exploitable impact
  • Content spoofing or text injection without significant security impact

Eligibility

To participate, you must:

  • Be at least 18 years old
  • Not be employed by Docfield.com or its affiliates
  • Not reside in countries under U.S. sanctions or other restricted jurisdictions
  • Adhere to responsible disclosure guidelines

Responsible Disclosure Guidelines

  • Report vulnerabilities promptly via email to security@docfield.com with a clear description, steps to reproduce, and potential impact.
  • Do not publicly disclose vulnerabilities until we have resolved them and granted permission.
  • Limit exploitation to the minimum required to demonstrate the issue (e.g., no data modification, deletion, or exfiltration).
  • Avoid accessing or modifying user data without explicit permission.
  • If, during your testing, you inadvertently access personal data, do not store, transmit, or disclose it. Immediately include this information in your report so that we can take appropriate action.
  • Allow us reasonable time (typically 90 days) to resolve issues before expecting public disclosure.

Rewards

We offer monetary rewards for valid, previously unreported vulnerabilities based on their severity and impact, as determined by our security team. Severity is assessed using industry standards (e.g., CVSS scores, exploitability, and affected assets).

  • Low Severity: €100
    Examples: Cross-Site Scripting (XSS) requiring significant user interaction, minor information leaks without sensitive data
  • Medium Severity: €250
    Examples: Cross-Site Request Forgery (CSRF) with significant impact, authentication bypasses with limited scope, privilege escalation with moderate impact
  • High Severity: €1,000
    Examples: Remote code execution (RCE) with limited access, SQL injection exposing sensitive data, significant privilege escalation
  • Critical Severity: €2,500
    Examples: Full account takeover without user interaction, widespread data exposure, critical infrastructure compromise

Notes on Rewards

  • Duplicate reports will not be rewarded unless they provide significant new information.
  • Rewards are paid via bank transfer or PayPal within 30 days of validation, subject to eligibility and tax compliance.
  • Reward payments are subject to applicable taxes. Recipients are responsible for reporting and paying any taxes due in their jurisdiction.
  • We reserve the right to adjust reward amounts based on the vulnerability’s impact and our assessment.

Submission Process

  • Email security@docfield.com with the following details:
    • Vulnerability description
    • Steps to reproduce (including tools, payloads, or screenshots if applicable)
    • Affected asset (e.g., URL, API endpoint)
    • Potential impact
    • Your contact information (name, email, optional public handle for recognition)
  • Your personal data provided in the submission will be processed in accordance with our Privacy Policy and will only be used for managing the bug bounty program, communicating with you about your submission, and, if applicable, processing reward payments.
  • We will acknowledge receipt within 72 hours and provide updates on our assessment.
  • Once validated and resolved, we will process the reward and discuss recognition preferences.

Safe Harbor

We will not pursue legal action against researchers who:

  • Follow this program’s guidelines
  • Act in good faith to identify vulnerabilities
  • Do not harm our users, systems, or data

Malicious activity (e.g., data theft, unauthorized access beyond proof-of-concept) will be addressed legally.

Recognition

With your consent, we will:

  • List your name or handle on our Hall of Fame
  • Acknowledge your contribution in release notes or blog posts (if applicable)

Program Updates

We may update this program at any time. Changes will be posted on this page, and ongoing submissions will be subject to the latest terms.

Contact

For questions or submissions, email security@docfield.com. Thank you for helping keep Docfield.com secure!

Heb je nog vragen?
Neem contact met ons op
use cases
Proposals
Contracts
Policy documents
EER
Document generation
sectors
Education
Software & Technology
Real Estate
Financial Services
Car Leasing
Construction
Teams
Legal
Sales
Procurement
HR
IT
resources
Free trial
About us
Customers
Templates
Blog
Contact us
Product updates
Glossary
API
Careers
Helpdesk
Singel 542
1017AZ Amsterdam
Netherlands
KVK: 74293087
Privacy policy
Terms & Conditions
Security
Status
© 2024 Docfield. Better documents in less time.