ClassPass

Articles in this section

See more

What is ClassPass's security vulnerability disclosure policy?

Avatar
ClassPass Support

Data security is a top priority for ClassPass, and ClassPass believes that working with skilled, external security researchers is an important way to identify weaknesses in our software.

If you believe you've found a security vulnerability in ClassPass's service, please notify us; we will work with you to resolve the issue promptly.

We value those who take the time and effort to report security vulnerabilities and as such we offer a monetary bounty for disclosure of vulnerabilities.

 

Disclosure Policy

If you believe you've discovered a potential vulnerability, please let us know by emailing us at security@classpass.com. We will acknowledge your email within 5 business days.

In your report please include details of:

  • The website, IP or page where the vulnerability can be observed.
  • A brief description of the type of vulnerability
  • Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately.

Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within 30 days of disclosure. We will triage the issue to ensure it is not a duplicate, and to classify the severity of the vulnerability. Once triage is complete, assuming the vulnerability is unique, we will pay out a bounty based on the severity of the vulnerability via PayPal.

Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the ClassPass service. Please only interact with accounts you own or for which you have explicit permission from the account holder. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.

 

Exclusions

While researching, we'd like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of ClassPass employees or contractors
  • Any attacks against ClassPass's physical property or data centers
  • Any attacks against our end users, or engaging in trade of stolen user credentials. Do not use leaked or compromised accounts belonging to others. Vulnerabilities that were discovered using leaked or compromised accounts will be disqualified.

Thank you for helping to keep ClassPass and our customers safe!

 

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will always be available at https://classpass.com/vulnerability-disclosure.

 

Contact

ClassPass is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@classpass.com.

Was this article helpful?
0 out of 1 found this helpful
Have more questions? Contact Us

Comments

0 comments

Article is closed for comments.

Return to top

Related articles