Keeping your projects, responses and user information safe and secure is a top priority and a core value for us as a company. As such, we welcome the contribution of external security researchers and look forward to rewarding them for their invaluable contribution to the security of all Ballpark users. No technology is perfect, and Ballpark believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Reported bugs will be assessed by our security team to determine if they qualify for a reward. Please report a potential security issue immediately. Ballpark will consider the impact to the company and to our users and will calculate the reward accordingly. Bug submissions will be reviewed within 30 days. This page is intended for security researchers and professionals.
If you're having issues related to your individual account, then please visit our Help Center.
Our Bug Bounty program is limited to security vulnerabilities in Ballpark web applications; do not attempt phishing attacks against our users in any circumstances. Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, spam people, or do other similarly questionable things. Vulnerability testing tools that automatically generate significant volumes of traffic are strictly prohibited. The following sites and applications are in scope for this program:
* ballparkhq.com (TLD Only)
Vulnerabilities reported on other Ballpark properties or applications, such as blog.ballparkhq.com are currently not eligible for monetary rewards.
The following bugs are unlikely to be eligible for a bounty payment
- Issues found through automated testing
- Scanner output or scanner-generated reports
- CVE Vulnerabilities released within the last 60 days
- Missing http security headers
- Logout and other instances of low-severity Cross-Site Request Forgery
- SSL/TLS best practices
- Denial of Service attacks or Rate limiting issues
- Brute Force attacks
- Lack of Captcha
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies
- Spam including:
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- Content Spoofing / text injectionIssues relating password and account recovery policies, such as reset link expiration or password complexityFull-Path Disclosure on any propertyClickjacking/UI redressing with no practical security impactCSRF-able actions that do not require authentication (or a session) to exploitReports related to the following security-related headers:
- * Bugs that do not represent any security risk
- * Security bugs related to third-party applications and services used by Marvel
- * Email signup and verification methods
Social engineering attacks against our support and security team is strictly prohibited. This will most likely result in your account being closed and no bounty will be awarded.
- Let us know as soon as possible via firstname.lastname@example.org upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Thank you for helping keep Ballpark and our users safe and secure!