Security Vulnerability Disclosure Policy

At Pitch we truly appreciate when ethical hackers, security researchers, or any well-intentioned person report a security vulnerability to us. We take security seriously and we will respond diligently to any email sent to security@pitch.com

The goal of this document is to define how to engage with Pitch Security Team. Please read it in full if you believe to have found a security vulnerability in our application or infrastructure.

Scope

Please, only report issues related to the following:

  • Any website or service served from the pitch.com domain
  • Any website or service served from the pitch.io domain
  • Desktop applications
  • Mobile applications
  • Official integrations
  • Open-source projects pitch-io/cljest and pitch-io/uix

Out of Scope

The following reports — without an exploit proof-of-concept — will be classified as Not Applicable (N/A) or Informational. Every proof-of-concept always needs to comply with our Guidelines.

  • Volumetric vulnerabilities (i.e. simply overwhelming our service with a high volume of requests);
  • TLS configuration weaknesses (e.g. "weak" cipher suite support, TLS1.0 support, sweet32, etc);
  • Reports indicating that our services do not fully align with "best practice" (e.g. missing security headers or sub-optimal email-related configuration);
  • Vulnerabilities or weaknesses in third-party services or sub-processors (but we might help you report them to the right vendor if we consider the report valid).

Reporting a Vulnerability

In response to your initial email to security@pitch.com, you will receive an acknowledgment reply email from the security team (usually within 5 working days of your report being received).

Following the initial contact, our security team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope, or is a duplicate report.

From this point, necessary remediation work will be assigned to the appropriate teams. Priority for bug fixes and/or mitigation will be assigned based on the severity of impact and complexity of exploitation.

Vulnerability reports may take some time to triage and/or remediate. You’re welcome to inquire on the status of the process but please limit this to no more than once every 14 days to help our security team focus on the reports as much as possible.

Our security team will notify you when the reported vulnerability is resolved (or remediation work is scheduled) and will ask you to confirm that the solution covers the vulnerability adequately. We will offer you the opportunity to provide feedback to us on the process and relationship as well as the vulnerability resolution. This information will be used in strict confidence to help us improve how we handle reports and/or develop services and resolve vulnerabilities.

Guidelines

In accordance with industry standards, we ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately while also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes (e.g. sub-domain takeovers).

We require that all researchers:

  • Avoid privacy violations, degradation of user experience, disruption to production services, and destruction or manipulation of data;
  • Only use exploits to the extent necessary to confirm a vulnerability, and stop testing and report the issue immediately if you gain access to any non-public application, any private data, or non-public credentials;
  • Add the header Pentest: Researcher to your requests during the tests;
  • Avoid aggressive scanners, automated tools, and volumetric attacks;
  • Do not send more than 2 requests per second;
  • Submit any necessary screenshots, screen records, cURL requests, and reproduction steps to help our security team reproduce the vulnerability;
  • Not disclose any vulnerabilities in Pitch systems/services to 3rd parties/the public before the Pitch confirming that those vulnerabilities have been mitigated or rectified. This does not prevent notification of a vulnerability to 3rd parties to whom the vulnerability is directly relevant, for example where the vulnerability being reported is in a software library or framework – but details of the specific vulnerability in Pitch must not be referenced in such reports. If you are unsure about the status of a 3rd party to whom you wish to send notification, please email security@pitch.com for clarification;
  • Ensure you understand the targets, scopes, exclusions, and guidelines;

We request that all data retrieved during research be securely deleted as soon as it is no longer required and at most, one month after the vulnerability is resolved, whichever occurs soonest.

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance at security@pitch.com. Please do not include any sensitive information in the initial communications.

Rewards and Bug Bounty

We do not currently run a bug bounty at Pitch. For vulnerabilities of relevant interest and impact in our application and infrastructure, we will review them at per-case basics regarding any type of reward.

Coordinated Disclosure

If the vulnerabilities are related to our clients (Desktop, iOS, and Android) or our open-source projects, and the patch requires user interaction, we commit to fixing critical vulnerabilities within 90 days and disclosing details upon patch release.

Legalities and Safe Harbor

This policy is designed to be compatible with common good practices among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause the Pitch to be in breach of any of its legal obligations, including but not limited to:

  • The General Data Protection Regulation 2016/679 (GDPR)

Pitch will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security vulnerability on an in-scope Pitch service.

Pitch is obligated to follow EU and international laws. This means that we aren’t able to pay bounties to residents or those who report vulnerabilities from a country against which the European Union has trade restrictions or export sanctions as determined by the European Union. We are also subject to additional rules from the European Union and UK. Therefore Pitch will not be processing payments to hackers located in any sanctioned region including Belarus, Russia, or sanctioned areas of Ukraine.

Feedback

If you wish to provide feedback or suggestions on this policy, please contact our security team at security@pitch.com. This policy will evolve over time and your input will be valued to ensure that it is clear, complete, and remains relevant.

Thank you for helping keep Pitch and our users safe!