Smartly Vulnerability Disclosure Policy

At Smartly, we take the security of our applications and systems seriously. We greatly value the contributions of the security research community and encourage responsible disclosure of potential vulnerabilities.

While we do not operate a formal bug bounty program, we welcome reports of security issues and we may, at our discretion and subject to applicable law and tax requirements, recognize valid and impactful contributions with small tokens of appreciation or monetary rewards depending on the severity of the finding. With regards to higher monetary rewards for significantly impactful and exploitable vulnerabilities, payments are only awarded to legal entities not subject to trade sanctions or export restrictions via invoice.

Scope

We are primarily interested in vulnerabilities affecting:

Qualifying examples

We consider the following types of findings as in-scope, depending on severity:

  • Cross-Site Scripting (XSS)

  • Cross-Site Request Forgery (CSRF)

  • Remote Code Execution (RCE)

  • Local File Inclusion (LFI) or directory traversal

  • Domain takeover and website defacement

  • Authentication or authorization bypasses

  • Other critical issues with real security impact that demonstrably affect Smartly’s confidentiality, integrity, or service availability

Out of scope

The following are generally considered out of scope:

  • Email authentication issues (SPF, DKIM, DMARC)

  • DNSSEC-related findings

  • Clickjacking without demonstrable impact

  • Potentially weak TLS ciphers/protocols

  • User enumeration (unless rate-limiting controls can be bypassed)

  • Issues in our marketing site https://www.smartly.io, as it is hosted by a third party using their content creation tools, unless they have a demonstrable impact on other Smartly infrastructure.

  • Physical attacks or social engineering attacks (e.g. phishing) against Smartly employees or systems.

  • Testing that could negatively impact Smartly’s services or customers (e.g. spamming or denial of service).

How to Report

If you believe you’ve discovered a security vulnerability in Smartly’s applications or systems:

  • Email us at security@smartly.io with a clear description of the issue

  • Include relevant details (affected endpoints, reproduction steps, proof of concept if possible)

We kindly ask you to:

  • Follow responsible disclosure practices

  • Not disclose any information about the vulnerability with any third parties until it has been remediated

  • Avoid impacting Smartly customers, data, or services during testing

Cease testing immediately once you have sufficient information to demonstrate the vulnerability

Safe Harbor

To ensure a safe and constructive security testing process, do not engage in the following prohibited activities:

  • Performing DoS or DDoS attacks.
  • Exploiting vulnerabilities for malicious purposes or beyond what is necessary to demonstrate the finding.
  • Performing any actions that could interrupt or degrade our services.
  • Accessing, modifying, or destroying customer data, personal data, or confidential information.

If you make a good faith effort to comply with this policy while researching and reporting vulnerabilities, we will consider your research authorized, and we will not pursue legal action against you. However, Smartly reserves all rights to determine whether a report complies with this policy, and this policy does not create any contractual or legal rights for any party.