Skip to content
Sign In
Get a Demo
arrow-pattern-bg

Vulnerability Disclosure Program

Jump to:

About DebtBook

DebtBook works with local governments and not-for-profits in higher education and healthcare to provide finance teams with the software tools they need to effectively serve their communities and build the future we all want. Our software enables these teams to track, manage, and report on their financial obligations efficiently in the cloud.

Working with these organizations across the United States, DebtBook recognizes that threats to the security of our environment and customer information are ever-present. We value the important role security researchers play in helping us protect our businesses’ and customers’ information and look forward to working with the community.

If you believe you have discovered a potential security vulnerability with any of DebtBook’s products or services, we welcome working with you to resolve the issue promptly and appreciate your help in disclosing the issue to us responsibly. We appreciate and value the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible.

Please note this program does not provide monetary rewards for bug submissions, and it is for responsible disclosure purposes only.

Reporting

Vulnerabilities may be reported using the form provided or by emailing security@debtbook.com.

Identification Header

In order to separate researcher traffic from real user traffic, Debtbook requires that you include a unique string in the User-Agent of every HTTP request you make (whether directly or through any tooling you might use).

Include the string “(db_vdp)” in your user-agent as follows: - User-Agent: [..] (db_vdp)

Response Targets

DebtBook will do our best to meet the following SLAs for researchers participating in our program:

Type of Response SLA in Business Days
First Response 5 days
Time to Triage 10 days
Time to Resolution depends on severity and complexity


We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without DebtBook's express written permission.

Target Scope

The targets that are in scope are:

  • app.debtbook.com
  • sources.debtbook.com
  • uat.debtbook.com
The messaging script on the main app.debtbook.com that says "Powered by Intercom" is NOT in scope. This is a third-party, client-side script that does not interact directly with our system.
Program Rules
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate impact.
  • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • Do not compromise or exfiltrate data, establish command-line access and/or persistence, or "pivot" to other systems.
  • Once you've established that a vulnerability exists, or encounter any of the sensitive data outlined below, please stop your test and notify us immediately; and
  • Use the identified communication channels to report vulnerability information to us.
Sensitive Information
  • Personally identifiable information (Name, Title, Email)
  • Financial information - While much of the data and information contained within DebtBook is available in the public domain or is subject to disclosure under applicable public records laws, some user data or information may constitute or contain confidential information not subject to disclosure.
Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS Rate limiting or brute force issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities only affecting users of outdated or unpatched browsers [More than 2 stable versions behind the latest released stable version].
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated.
  • Issues that require unlikely user interaction.
Authorization and Safe Harbor

If you make a good faith effort to comply with this policy during your security research, we will (1) consider your research to be authorized, (2) work with you to understand and resolve the issue quickly, and (3) not initiate or recommend legal action related to your research.

If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

When conducting vulnerability research according to the guidelines and scope of this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in any software Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us through one of the channels in the "Reporting a vulnerability" section before going any further.

Thank you for helping keep DebtBook and our users safe!

Last Update
July 20, 2023
question-mark-icon

Security Questions?

If you believe you’ve discovered a security bug or vulnerability, please report it using our Vulnerability Disclosure form by clicking the button labeled Contact Security Team. We will investigate your report and respond to you as soon as possible. Please do not disclose your findings until we have had the opportunity to review and address them with you.

You may also email security@debtbook.com with your findings.

Contact Security Team
CTA Illustration Grouped (1) (1) (1)

Get a Firsthand Look at DebtBook

Ready to see what DebtBook can do for you? Let’s set up a personal 30-minute demo. We’ll walk you through every aspect of DebtBook, so you can see how we’re changing the game for organizations like yours.

Start changing the way you work. Schedule a demo today!

Schedule a Demo