Responsible Disclosure

Effective August 30, 2021.

Program Terms

Terrastruct’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and diagrams.

The scope for Terrastruct’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of Terrastruct.com.

Good Faith

To be eligible to participate in Terrastruct’s bug bounty program we ask that all researchers act in good faith, which means:

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Eligibility to Participate

Must abide by Terrastruct’s User Agreement if testing with a Terrastruct account. Terrastruct employees, contractors who are currently working with Terrastruct, or have worked with Terrastruct in the previous 6 months, or immediate family members of either are not eligible for bug bounties.

Report Quality

Reports are expected to be thorough and contain enough information that Terrastruct’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots and videos are encouraged. Submissions should not consist solely of a video.

Reports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.

Severity Determination

Terrastruct uses a simple scale to determine severity. Terrastruct will categorize valid submissions in one of the following categories at its sole discretion. Vulnerabilities are primarily rated by their impact to the confidentiality of private user data and safety using the Terrastruct platform.

Critical

Critical vulnerabilities are those that result in the bulk compromise of user data such as diagrams, diagram passwords, team collaborators, and email addresses or the ability to bypass authentication and gain access to targeted accounts. Examples of critical vulnerabilities include:

High

High-rated vulnerabilities are those that allow impersonating other users or bypassing authorization to gain access to private diagrams. Examples include:

Medium

Medium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information. Examples include:

Low

Low-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn’t, but with no serious security implications. Examples include:

Bounty Amounts

The upper limits on bounty for each bug class:

These are guidelines and may be adjusted by Terrastruct at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties.

Out-of-Scope

Terrastruct agnostic:

Terrastruct specific:

Denial of service attacks:

Not in scope, don’t do it.

In-scope domains (inclusive of all subdomains):

app.terrastruct.com

Out-of-scope domains

terrastruct.com

Any SaaS or other service provider not explicitly called out. If you think it’s something owned by Terrastruct, you can send it along - we’ll decide if it’s out-of-scope.

Confidentiality

Any information you receive or collect about Terrastruct, Terrastruct’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request by emailing us. Please note, not all requests for public disclosure can be approved.

Rights and Licenses

We may modify the Program Terms or cancel the Bug Bounty Program at any time.

By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.

By making a Submission, you give us the right to use your Submission for any purpose.

Submission

Reports must be submitted by email to info@terrastruct.com