Responsible Disclosure Program

Overview

At Homebase, we recognize that no technology is without flaws. That's why we value the expertise of security researchers around the world to help us uncover potential vulnerabilities. If you come across a security issue, we encourage you to reach out. We're committed to working together to address and resolve any concerns swiftly.

Homebase is a rapidly growing company. We are committed to delivering our products and services with the least risk and threats associated with our assets.

SLA

Homebase will make a best effort to meet the following SLAs for researchers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 5 business days
  • Time to reward if applicable (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Rating and Rewards

For the initial prioritization of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, the priority of a vulnerability may be adjusted based on its likelihood or potential impact. If an issue is downgraded, we will provide an explanation to the researcher.

  • Likelihood = The chance that an attacker will discover and exploit this vulnerability. 
  • Impact = The combined technical and business impact. The technical impact refers to the effect on the application, its data, and its functions, while the business impact refers to the potential consequences for the business or company running the application. 

Our rewards table is internal and not being shared externally at this time. In the case of duplicate reports, only the first valid submission will be considered.

Reporting

If you’ve identified a potential security issue, please submit your findings to security@joinhomebase.com 

Please include the following information in your submission as well.

  • Provide sufficient details to help Homebase replicate and resolve the issue effectively.some text
    • Type of Vulnerabilitysome text
      • Description of the Issue
    • Affected Assetsome text
      • Impact Assessment
    • Environment Details (OS, Browser, Device, Application Version)
    • Prerequisites (Required conditions)
    • Detailed instructions with clear and concise steps
    • Payloads
    • Relevant Code or Configuration
    • Screenshots/Screen records
    • Recommended Mitigation

Guidelines

To ensure responsible testing and reporting, please follow these guidelines:

Credentials

Sign up for a free account using your email address at Homebase Sign Up. You'll automatically get a free account, no credit card required.

Vulnerabilities

Qualified

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  • Broken Access Control
  • Cryptographic Failures (Sensitive Data Exposure)
  • Injection (Including SQL, NoSQL, OS Command Injection)
  • Insecure Design
  • Security Misconfiguration
  • Vulnerable and Outdated Components
  • Identification and Authentication Failures
  • Software and Data Integrity Failures
  • Server-Side Request Forgery (SSRF)
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Mixed-Content Scripts
  • AI Prompt Injection

Not Qualified 

  • Any testing involving repeated network requests, such as denial of service or rate limit testing.
  • If you find credentials (like Homebase or Okta logins), please report them but do not attempt to log in. We will validate them.
  • Fingerprinting or banner disclosure on common/public services.
  • Disclosure of known public files or directories (e.g., robots.txt).
  • Clickjacking and issues exploitable only through clickjacking.
  • Security best practices without proof of impact or exploitation.
  • Weak login/signup with no evidence of impact or exploitation.
  • Weak password policy without demonstrated impact or exploitation.
  • Cookie issues without evidence of impact or exploitation.
  • Missing Secure/HTTPOnly flags on non-sensitive cookies.
  • Missing HTTP security headers
  • Publicly known zero-day vulnerabilities will not be eligible until 30 days after patch availability.
  • Descriptive error messages (e.g., Stack Traces, application or server errors).
  • EXIF data not stripped from files or attachments.
  • Attacks aimed at destroying or corrupting data not belonging to you.
  • Accessing or manipulating data outside your controlled domains, including customer data.
  • A cross-site scripting flaw that requires the victim to manually type in an XSS payload into a message and then double-click an error message may realistically not meet the bar.
  • User enumeration. Reports outlining user enumeration are not within scope unless you can demonstrate that we don’t have any rate limits in place to protect our users.
  • Flaws affecting the users of out-of-date browsers and plugins.
  • Duplicate or Already Known Issues
  • Reports generated solely from automated tools or scans are prohibited.

Testing

  • Do not attempt to:some text
    • View, modify, or damage data belonging to others.some text
      • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
      • If you inadvertently access another person's data or Homebase company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or Homebase company data and notify Homebase what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system.
    • Disclose reported vulnerabilities until Homebase has addressed them.
    • Gain unauthorized access to another user’s account or data.
    • Exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your own account, a test account, or another account for which you have the explicit written consent of the account owner to test.
  • Do the following:some text
    • Append your contact email address Configure your testing tool to use a custom User-Agent value before testing.

Scope 

Testing is only allowed on the targets listed as In-Scope. Any Homebase domain or property not listed, including subdomains, is out of scope. If you find a vulnerability on an out-of-scope target that belongs to Homebase, you can report it, and we’ll appreciate it—but it will be marked as "not applicable" and won't qualify for rewards or points.

In-Scope

The following systems and repositories are in scope for testing:

Out of Scope

The following are considered out of scope for this program:

  • joinhomebase.com
  • Other subdomains of Homebase
  • Social engineering against Homebase staff
  • Third Party Websitessome text
    • Homebase services hosted in less common domains may be operated by our vendors or partners. We cannot authorize you to test these systems on behalf of their owners and will not reward such reports. Bug hunters will need to examine domain and IP WHOIS records to confirm ownership. 

Safe Harbor Policy

When conducting vulnerability research under this policy, we consider your actions to be:

  • Authorized under the Computer Fraud and Abuse Act (CFAA) and similar state laws. We will not pursue or support legal action against you for accidental, good-faith policy violations.
  • Exempt from the Digital Millennium Copyright Act (DMCA). We will not claim you violated technology control rules.
  • Exempt from restrictions in our Terms & Conditions that could block security research. We waive these limits for work done under this policy.
  • Lawful and beneficial to improving Internet security, as long as it’s done in good faith.

Please always follow applicable laws. If you’re unsure whether your research aligns with this policy, contact us at security@joinhomebase.com before proceeding.