Report a Vulnerability

Our Site Reliability team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Customer.io’s security, please get in touch by email at ctf@customer.io. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Customer.io’s Site Reliability team.

We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Customer.io rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf).

A minimum reward of $100 USD may be provided for the disclosure of qualifying reports. At our discretion, we may increase the reward amount based on the severity of the report. If you report a vulnerability that does not qualify under the above criteria, we may still provide a non-monetary reward in the form of Customer.io merchandise if your report causes us to take specific action to improve our security posture.

We ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward denial of service, spam, or social engineering vulnerabilities. Although Customer.io itself and all services offered by Customer.io are eligible, vulnerabilities in third-party applications that use Customer.io are not.

As with most security reward programs, there are some restrictions:

  • We will only reward the first person to responsibly disclose a bug to us
  • Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be rewarded
  • Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time
  • Your testing must not violate any laws
  • We can’t provide you a reward if it would be illegal for us to do so, such as to residents of countries under current U.S. sanctions

Access & Testing

  • You can sign up for Customer.io at https://fly.customer.io/users/signup
  • Use “Security Testing” in your workspace names
  • Only test against accounts/workspaces you have created or our CTF account
  • Limit your use of scanner tests based on our technology stack. Our application is primarily powered by Node.js, Ember, and REST APIs.

Libraries

Customer.io provides libraries written in various languages to our customers (https://customer.io/docs/libraries). We invite you to review the source code of our Official Libraries, all of which are hosted on Github. Qualifying submissions must have a demonstrable impact and realistic attack vector. Submissions that include a proposed fix will be easier for us to evaluate and reward.

Capture the Flag

We have an account configured exclusively for security testing and proof-of-concepts for high severity attacks.

  • The workspace ID is 82491
  • The Site ID of this workspace is 986a5e23f592c0af08df
  • The admin user for this workspace is ctf@customer.io

There is a single user profile in that workspace. If you can provide the value of that user’s “ctf” attribute we’ll immediately classify the vulnerability severe.

We only authorize security research on the CTF account provided above and accounts you create personally. Any attempts to breach other Customer.io accounts will result in a denial of bounty reward and depending on severity appropriate referral to law enforcement agencies. If you’ve accidentally breached other accounts notify our team at ctf@customer.io ASAP with all relevant details so we can work with you rather than against you.

Out of Scope

  • Presence or absence of DMARC/SPF records.
  • Denial of service attacks.
  • Lack of rate limiting.
  • Brute Force Attacks.
  • Self inflicted XSS.

Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the Site Reliability team.

Customer.io uses a number of third-party providers and services. Our vulnerability program does not give you permission to perform security testing on their systems.

To find out more about Customer.io’s security, please visit our security information page.