Rainforest recognizes the importance of security researchers in helping keep our customers safe. We encourage responsible disclosure of security vulnerabilities as described on this page.

Responsible disclosure includes:

• Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
• Making a good faith effort to not leak or destroy any Rainforest user data.
• Not defrauding Rainforest users or Rainforest itself in the process of discovery.
• In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Rewards

Attribution on our Hall of Fame hosted in this page.
Monetary compensation is not currently offered under this program.

Eligibility

Rainforest reserves the right to decide if the minimum severity threshold has been met and whether it was previously reported.
In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

• XSS
• CSRF
• Authentication bypass or privilege escalation
• Click jacking (except on www.rainforestqa.com)
• Remote code execution
• Obtaining user information

In general, the following would not meet the threshold for severity:

• Vulnerabilities on sites hosted by third parties (blog.rainforest.com, analytics, info.rainforestqa.com, status.rainforestqa.com, etc) unless they lead to a vulnerability on the main website
• Denial of Service and brute-force attacks
• Non-ideal but non-exploitable configuration issues
• Spamming or phishing
• Vulnerabilities in third party applications, such as Stripe or Heroku
• Vulnerabilities in third party applications which make use of the Rainforest API
• Clickjacking on the marketing website (www.rainforestqa.com)
• CORS on www.rainforestqa.com
• Intercom session persisting after logging out of Rainforest

For example, “Your servers are vulnerable to Heartbleed” (with reasonable proof) will absolutely get you listed here, but “Your servers don’t get an A+ rating on SSL Labs” will definitely not. Don’t expect a response for any reported issues that don’t fit with the guidelines.

How To Disclose

Disclose a vulnerability via email

Please include if possible:

• Description and potential impact
• Steps to reproduce the issue or a proof of concept
• Name and link for attribution on this page
• Thank you for helping keep our community safe!

Hall of Fame

2024

• 6th September 2024 - Raghav Arora

2023

• 25th July 2023 - Naor Yaacov

2022

• 21st June 2022 - Muhammad Arslan Kabeer

2021

• 9th September 2021 - Joross Esguerra
• 15th July 2021 - Jefferson Gonzales (Gonz)

2020

• 19th July 2020 - Badal Sardhara
• 24th June 2020 - Pethuraj M
• 23rd June 2020 - Ayushmaan Banerjee
• 23rd June 2020 - Subhamoy Guha
• 23rd June 2020 - Venkat Malla
• 22th June 2020 - Saurabh Siddharam Sanmane
• 20th June 2020 - Ashik Kunjumon

2019

• 11th April 2019 - csanuragjain
• 20th September 2019 - Mahendra Purbia

2018

• 27th August 2018 - Shivam Kamboj Dattana
• 1st April 2018 - Abdul Haq Khokhar

2017

• 2nd October 2017 - Yeasir Arafat
• 22th September 2017 - Prial Islam
• 6th July 2017 - Shubham Pathak
• 20th June 2017 - Maulik Vaidh

2016

• 29th December 2016 - Hamza Grindi
• 13th December 2016 - Sree Visakh Jain

2015

• 11th May 2015 - Shahmeer Amir
• 3rd March 2015 - Nicodemo Gawronski