Plausible Analytics Vulnerability Disclosure Program
No technology is perfect, and we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.
If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
What is a Vulnerability Disclosure Program?
A Vulnerability Disclosure Program (VDP) is the “see it, say it, sort it” of the internet. We encourage security researchers to report any behaviour impacting the information security posture of Plausible Analytics products and services.
Please document your findings thoroughly, providing steps to reproduce and send your report to us.
- Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.
- We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
- We will work with the affected teams to validate the report.
- We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.
Reference HackerOne guidance on writing quality reports: https://docs.hackerone.com/hackers/quality-reports.html https://www.hacker101.com/sessions/good_reports
Who Can Participate?
Anyone on the internet can participate
Disclosure Policy
By disclosing a vulnerability, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties.
Scope
- Internet services hosted on *.plausible.io
- Open-source codebase hosted at https://github.com/plausible/analytics
Critical Vulnerabilities
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference issues, etc.)
- Exposed Administrative Panels that without strong protection
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Vast Users’ Sensitive Information Leakage
- Known vulnerabilities in unpatched software (usually third party)
- (sub)domain takover
Out of Scope
- Information leakage that cannot be used to make a direct attack, like server IP, server version, path, error message, internal IP, etc.
- PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers.
- Reports from automated tools or scans.
- Social engineering and physical attacks
- Distributed Denial of Service attacks that require large volumes of data.
- 0-day vulnerabilities less than 30/60/90 days from patch release.
- Provisioning and/or usability issues.
- Violations of licenses or other restrictions applicable to any vendor’s product.
- Security vulnerabilities in third-party products or websites that are not under Plausible Analytics’ direct control.
- “Self” XSS
- Session fixation
- Content spoofing
- Missing cookie flags
- SSL/TLS best practices
- Mixed content warnings
- Clickjacking/UI redressing
- Flash-based vulnerabilities
- Local denial of service of Mobile APP
- Reflected file download attacks (RFD)
- Physical or social engineering attacks
- Feedback, comment, message, etc. flooding
- SMS/Email flooding for some of our business
- CSRF/XSS with long or unpredictable parameter
- Login/logout/unauthenticated/low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/DMARC in non-email domains/subdomains
- Attacks requiring MITM or physical access to a user’s device
- Issues related to networking protocols or industry standards
- Error information disclosure that cannot be used to make a direct attack
- Missing security-related HTTP headers which do not lead directly to a vulnerability
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. To Submit Reports please send it via email security@plausible.io We will respond within 1 to 5 working days. Thank you for helping keep our company and our users safe!