submit bug report:https://prezi.com/bug-bounty/
Prezi Responsible Disclosure
At Prezi, we take security of our users’ data very seriously and we believe in harnessing the power of the security researcher community to help keep our users safe. We encourage the responsible disclosure of security vulnerabilities.
This brief ("brief") covers your participation in the Prezi Responsible Disclosure Program (the "Program"). It sets out terms between you and Prezi ("Prezi," "us" or "we"). By submitting any vulnerabilities to Prezi or otherwise participating in the Program in any manner, you accept these terms, the Prezi Privacy Policy, and the BugCrowd Standard Disclosure Terms, Code of Conduct, Disclosure Policy, and Terms of Service.
To join the program, you should read this entire brief, and only proceed if you accept all the terms within.
Thank you for making Prezi better for everyone!
Discovering security vulnerabilities
We encourage and allow you to conduct security research and vulnerability testing on Prezi services and products to which you have authorized access on the “prezi.com” domain.
Please always keep the following rules in mind:
Never attempt to access someone else’s account or data; please always use your own account(s) for testing.
Never try to modify or destroy any data that does not belong to you.
Do not attempt or launch a denial of service attack. We and our users appreciate reliability.
Do not attempt or execute social engineering attacks (including but not limited to unsolicited or unauthorized emails, spam, or other forms of unsolicited messages).
Do not test third parties that integrate with Prezi services (see the “What we are not interested in” section below for more details).
Do not operate directly or indirectly with malicious or harmful software. We like to keep prezi.com clean for our users.
Don’t do anything that violates any applicable law.
Your participation in the Program is entirely voluntary. You acknowledge that Prezi has not offered or promised any reward or bounty payment for your participation in the Program. However, Prezi reserves the right to reward participation in the Program in its sole discretion on a case by case basis.
What we are not interested in
In general, please don’t report the following findings, unless you can showcase an actual vulnerability leading to significant impact:
CSRF vulnerabilities where exploitation is not really probable (other random / hard to get value is required for exploitation), CSRF in the authentication function
Missing “HTTP only” flag for cookies, which are not the following ones: auth-sessionid, prezi-auth, sessionid
Missing “Secure” flags for any cookie
Username / user id enumeration
Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers
Phishing by navigating password tabs a.k.a "window.opener" (reason)
Absence of rate limiting
Denial of Service
User password brute force attack
"Leakage" of publicly available information (e.g.: server version info in response header)
Since our list of integrations might change, please always resolve our subdomains before any testing to verify that they are not pointing to some external / 3rd party service.
For example, the following domains and subdomains are pointing to different third-party solutions, which we are not authorized to include in this program:
beautifulbits.prezi.com/
blog.prezi.com/
support.prezi.com
*.cdn01.prezi.com
*.cdn02.prezi.com
streamingcdn.prezi.com
videocdn.prezi.com
videothumbcdn.prezi.com
email.prezi.com
*.preziusercontent.com
*.prezicdn.net
*.prezi.community
Reporting security vulnerabilities
If you believe you have discovered a security vulnerability, please share the details with us by completing the form below.
We will acknowledge receipt of your report within five business days and work with you to understand the issue so we can validate it. We will also do our best to give an estimate on the resolution of the vulnerability and notify you when it is fixed.