Report a Vulnerability 

We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Customer.io rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf).

A reward may be provided for the disclosure of qualifying reports. At our discretion, we will determine the reward amount based on the severity of the report. If you report a vulnerability that does not qualify under the terms herein, we may still provide a non-monetary reward in the form of Customer.io merchandise if your report causes us to take specific action to improve our security posture.

We ask that you use common etiquette when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward denial of service, spam, or social engineering vulnerabilities. Customer.io’s product: Journeys is the only eligible Customer.io service under this program. For the avoidance of doubt, vulnerabilities in third-party applications that use Customer.io are not eligible for this program.

As with most security reward programs, there are some restrictions:

• We will only reward the first person to responsibly disclose a bug to us
• Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be rewarded
• Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time
• Your testing must not violate any laws

In Scope

Access & Testing

• Use “Security Testing” as part of the Company Name provided during signup. EX: Acme – Security Testing
• Only test against accounts/workspaces you have created or our CTF account.
• Only test against the fly.customer.io web application and the track.customer.io API. All other domains/applications are out of scope.
• Limit your use of scanner tests based on our technology stack. Our application is primarily powered by Node.js, Ember, and REST APIs.

Libraries

Capture the Flag

We have an account configured exclusively for security testing and proof-of-concepts for high severity attacks.

• The workspace ID is 82491
• The Site ID of this workspace is 986a5e23f592c0af08df
• The admin user for this workspace is ctf@customer.io

There is a single user profile in that workspace. If you can provide the value of that user’s “ctf” attribute we’ll immediately classify the vulnerability severe.

Out of Scope

• Reports not pertaining to the fly.customer.io and track.customer.io domains.
• Presence or absence of DMARC/SPF/other DNS records.
• Denial of service attacks.
• Lack of rate limiting.
• Brute force attacks.
• Self inflicted attacks.

For more clarification on that last point regarding self inflicted attacks, this includes any report that requires privileged access to a Customer.io account to execute. This doesn’t include privilege escalation reports where a user with limited permission can perform actions beyond their privilege level by way of an exploit. It does include any report where an attacker must first compromise a Customer.io user account in order to deliver their payload. These reports are denied as out of scope unless they have an accompanying PoC demonstrating how an external attacker could first compromise the user account remotely.

Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the Site Reliability team.

Customer.io uses a number of third-party providers and services. Our vulnerability program does not give you permission to perform security testing on their systems.