Data security is a top priority for ClassPass, and ClassPass believes that working with skilled, external security researchers is an important way to identify weaknesses in our software.
If you believe you've found a security vulnerability in ClassPass's service, please notify us; we will work with you to resolve the issue promptly.
We value those who take the time and effort to report security vulnerabilities and as such we offer a monetary bounty for disclosure of vulnerabilities.
If you believe you've discovered a potential vulnerability, please let us know by emailing us at email@example.com. We will acknowledge your email within 5 business days.
In your report please include details of:
- The website, IP or page where the vulnerability can be observed.
- A brief description of the type of vulnerability
- Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within 30 days of disclosure. We will triage the issue to ensure it is not a duplicate, and to classify the severity of the vulnerability. Once triage is complete, assuming the vulnerability is unique, we will pay out a bounty based on the severity of the vulnerability via PayPal.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the ClassPass service. Please only interact with accounts you own or for which you have explicit permission from the account holder. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
While researching, we'd like you to refrain from:
- Distributed Denial of Service (DDoS)
- Social engineering or phishing of ClassPass employees or contractors
- Any attacks against ClassPass's physical property or data centers
- Any attacks against our end users, or engaging in trade of stolen user credentials. Do not use leaked or compromised accounts belonging to others. Vulnerabilities that were discovered using leaked or compromised accounts will be disqualified.
Thank you for helping to keep ClassPass and our customers safe!
We may revise these guidelines from time to time. The most current version of the guidelines will always be available at https://classpass.com/vulnerability-disclosure.
ClassPass is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at firstname.lastname@example.org.