Report a Vulnerability
Our Site Reliability team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Customer.io’s security, please notify us via email at firstname.lastname@example.org. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Customer.io’s Site Reliability team.
We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Customer.io rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf).
A reward may be provided for the disclosure of qualifying reports. At our discretion, we will determine the reward amount based on the severity of the report. If you report a vulnerability that does not qualify under the terms herein, we may still provide a non-monetary reward in the form of Customer.io merchandise if your report causes us to take specific action to improve our security posture.
We ask that you use common etiquette when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward denial of service, spam, or social engineering vulnerabilities. Customer.io’s product: Journeys is the only eligible Customer.io service under this program. For the avoidance of doubt, vulnerabilities in third-party applications that use Customer.io are not eligible for this program.
As with most security reward programs, there are some restrictions:
- We will only reward the first person to responsibly disclose a bug to us
- Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be rewarded
- Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time
- Your testing must not violate any laws
- We can’t provide you a reward if it would be illegal for us to do so, such as to residents of countries under current U.S. sanctions
Access & Testing
- You can sign up for Customer.io at https://fly.customer.io/users/signup.
- Use “Security Testing” as part of the Company Name provided during signup. EX: Acme – Security Testing
- Only test against accounts/workspaces you have created or our CTF account.
- Only test against the fly.customer.io web application and the track.customer.io API. All other domains/applications are out of scope.
- Limit your use of scanner tests based on our technology stack. Our application is primarily powered by Node.js, Ember, and REST APIs.
Customer.io provides libraries written in various languages to our customers (https://customer.io/docs/libraries). We invite you to review the source code of our Official Libraries, all of which are hosted on Github. Qualifying submissions must have a demonstrable impact and realistic attack vector. Submissions that include a proposed fix will be easier for us to evaluate and reward.
Capture the Flag
We have an account configured exclusively for security testing and proof-of-concepts for high severity attacks.
- The workspace ID is 82491
- The Site ID of this workspace is 986a5e23f592c0af08df
- The admin user for this workspace is email@example.com
There is a single user profile in that workspace. If you can provide the value of that user’s “ctf” attribute we’ll immediately classify the vulnerability severe.
We only authorize security research on the CTF account provided above and accounts you create personally. Any attempts to breach other Customer.io accounts will result in a denial of bounty reward and depending on severity appropriate referral to law enforcement agencies. If you breach any other account, you must immediately notify our team at firstname.lastname@example.org as soon as you know, with all relevant details so we can work with you rather than against you.
Out of Scope
- Reports not pertaining to the fly.customer.io and track.customer.io domains.
- Presence or absence of DMARC/SPF/other DNS records.
- Denial of service attacks.
- Lack of rate limiting.
- Brute force attacks.
- Self inflicted attacks.
For more clarification on that last point regarding self inflicted attacks, this includes any report that requires privileged access to a Customer.io account to execute. This doesn’t include privilege escalation reports where a user with limited permission can perform actions beyond their privilege level by way of an exploit. It does include any report where an attacker must first compromise a Customer.io user account in order to deliver their payload. These reports are denied as out of scope unless they have an accompanying PoC demonstrating how an external attacker could first compromise the user account remotely.
Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the Site Reliability team.
Customer.io uses a number of third-party providers and services. Our vulnerability program does not give you permission to perform security testing on their systems.
To find out more about Customer.io’s security, please visit our security information page.