Responsible Vulnerability disclosure
Follow this guide if you have found a vulnerability in the PandaDoc application or website and you would like to responsibly report it.
PandaDoc customers can report the vulnerability either to the Support team or send an email to security@pandadoc.com.
What we need from you:
- Describe the steps you followed that make the vulnerability exploitable including any URLs or code you used. The more information you provide, the faster we can reproduce and fix the problem.
- Please do not send PDF, DOC, or EXE files or reports generated by DAST products. We do accept images.
Focus areas:
- Cross-site scripting (XSS)
- SQL injection (SQLi)
- Cross-site request forgery (CSRF)
- Remote code execution (RCE)
- Cookies not used for authentication or CSRF protection, not being marked as Secure or HTTPOnly
- Data breaches, such as restricted or sensitive data of our customers.
Public disclosure
You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.
The Hall of Fame
We’d like to graciously thank every researcher that has helped improve PandaDoc throughout the years. We appreciate your hard work!
The Hall of Fame membership criteria:
- Security Researchers must contribute two or more times.
- Security Researchers must propose issues with medium to high severity.
- Issue severity is determined by Bugcrowd’s Vulnerability Rating Taxonomy and relevance to our product.
- In case there is a disagreement, the PandaDoc Security Team reserves the right to choose the severity rating for the issue.