Backbone Security Disclosure Policy

This policy exists to outline the rules around security disclosure. We value working with the security community to find vulnerabilities, in order to keep our business and customers safe.

To report vulnerabilities – please review the below rules – and email the report to



  • Please provide detailed reports with reproducible steps. If the report is not complete enough to reproduce the issue, it may not be triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only triage the first report received—provided that it is reproducible.
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Social engineering (e.g., phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • Provide us with enough detail (screenshots, walkthrough steps, et cetera) to reproduce the issue.
  • Give us time to fix the issue before announcing it to the world. The time needed varies based on the issue. But rest assured, once we know a problem exists, we are on the case.
  • Do not access/manipulate/delete data you do not usually have permission to access. We are very committed to our users’ data and experience. We would hate to have an unintentional glitch in the system result in someone messing with our users’ accounts. Live by the Golden Rule: Do not be a jerk. Seriously though, attempts like these will be reported.
  • Do not ask for payment; we do not offer cash payouts for disclosure.
  • As this is a private program, please do not discuss this program or any vulnerabilities outside of the program. If you desire to share your work outside the program, you will need express, written consent from Backbone.
  • Follow HackerOne’s disclosure guidelines.


When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks that require MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without modifying HTML/CSS.
  • Rate limiting or brute force issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etcetera).
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than two stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application, or server errors).
  • Tabnabbing
  • Open redirect without a demonstrated additional security impact
  • Issues that require unlikely user interaction


  • We review incoming issues on a weekly basis
  • If we have questions, we’ll follow up with you on your report
  • We do not offer awards, so please do not ask. This is simply an organized and safe way for the public to responsibly disclose security issues to our team
  • We will not publicly disclose any issues reported to us (unless they want to disclose issues at some point)


  • If you have played by the spirit and letter of this page, we pledge not to take legal action against you, cancel your Backbone accounts.
  • However, if you have not complied, we reserve the right to pursue legal action or other appropriate remedies. Seriously though, if you do right by us, we will do right by you. We do not want to get the legal system involved, and neither do you.
  • If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your operations were conducted in compliance with this policy.

Thank you for helping keep Backbone, and our users, safe!