Responsible Disclosure Program

Overview

At Homebase, we recognize that no technology is without flaws. That's why we value the expertise of security researchers around the world to help us uncover potential vulnerabilities. If you come across a security issue, we encourage you to reach out. We're committed to working together to address and resolve any concerns swiftly.

Homebase is a rapidly growing company. We are committed to delivering our products and services with the least risk and threats associated with our assets.

SLA

Homebase will make a best effort to meet the following SLAs for researchers participating in our program:

• Time to first response (from report submit) - 2 business days
• Time to triage (from report submit) - 5 business days
• Time to reward if applicable (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Rating and Rewards

For the initial prioritization of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, the priority of a vulnerability may be adjusted based on its likelihood or potential impact. If an issue is downgraded, we will provide an explanation to the researcher.

• Likelihood = The chance that an attacker will discover and exploit this vulnerability. 
• Impact = The combined technical and business impact. The technical impact refers to the effect on the application, its data, and its functions, while the business impact refers to the potential consequences for the business or company running the application. 

Our rewards table is internal and not being shared externally at this time. In the case of duplicate reports, only the first valid submission will be considered.

Reporting

To ensure proper handling, tracking, and secure communication of vulnerability reports, all submissions must go through our designated Vulnerability Disclosure Portal

Reporters are required to create an account in the portal to submit and follow up on their reports. All communication regarding reported issues will be conducted exclusively within the portal. This allows us to maintain consistency in our triage workflows and protect sensitive information throughout the disclosure process.

The portal form helps streamline triage and ensures all necessary details are captured. Please include the following in your submission:

How to Submit a Report

1. Go to the Disclosure Portal:
   Vulnerability Disclosure Portal‍
2. Create an Account:
   Click “Login” to access or create an account. You’ll be prompted to enter your email address, set a password and confirm your account via email.
   
   You can use the same account to submit additional reports in the future and view your submission history.
   ‍
3. Submit a Report:‍
   Once signed in, click “Report a Vulnerability” and fill out the form with the following details:
   
   • Vulnerability Title
   • Affected Asset/URL
   • Type of Vulnerability
   • Severity (if known)
   • Description of the issue and technical impact
   • Step-by-step reproduction instructions
   • Business impact or data risk assessment
   • Suggested remediation
   • Screenshots, logs, videos, or PoCs (if applicable)
4. Track and Communicate:‍
   After submitting, you’ll be able to track your report’s status and communicate with our security team directly through the portal. You'll also receive email notifications for any status changes or updates.

Guidelines

To ensure responsible testing and reporting, please follow these guidelines:

Credentials

Sign up for a free account using your email address at Homebase Sign Up. You'll automatically get a free account, no credit card required.

Vulnerabilities

Qualified

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

‍

• Broken Access Control
• Cryptographic Failures (Sensitive Data Exposure)
• Injection (Including SQL, NoSQL, OS Command Injection)
• Insecure Design
• Security Misconfiguration
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Server-Side Request Forgery (SSRF)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Mixed-Content Scripts
• AI Prompt Injection

‍

Not Qualified 

• Any testing involving repeated network requests, such as denial of service or rate limit testing.
• If you find credentials (like Homebase or Okta logins), please report them but do not attempt to log in. We will validate them.
• Fingerprinting or banner disclosure on common/public services.
• Disclosure of known public files or directories (e.g., robots.txt).
• Clickjacking and issues exploitable only through clickjacking.
• Security best practices without proof of impact or exploitation.
• Weak login/signup with no evidence of impact or exploitation.
• Weak password policy without demonstrated impact or exploitation.
• Cookie issues without evidence of impact or exploitation.
• Missing Secure/HTTPOnly flags on non-sensitive cookies.
• Missing HTTP security headers
• Publicly known zero-day vulnerabilities will not be eligible until 30 days after patch availability.
• Descriptive error messages (e.g., Stack Traces, application or server errors).
• EXIF data not stripped from files or attachments.
• Attacks aimed at destroying or corrupting data not belonging to you.
• Accessing or manipulating data outside your controlled domains, including customer data.
• A cross-site scripting flaw that requires the victim to manually type in an XSS payload into a message and then double-click an error message may realistically not meet the bar.
• User enumeration. Reports outlining user enumeration are not within scope unless you can demonstrate that we don’t have any rate limits in place to protect our users.
• Flaws affecting the users of out-of-date browsers and plugins.
• Reports generated solely from automated tools or scans are prohibited.

Duplicate or Already Known Issues

Homebase only rewards the first valid report of a security issue. We do not offer rewards for submissions that fall into the following categories:

1. Technical Duplicates
   Reports that describe the same issue as one already submitted by another researcher will be considered duplicates. We evaluate based on the earliest valid submission date.
   
   
2. Root Cause Duplicates
   If multiple endpoints, parameters, or features share the same underlying vulnerability (e.g., the same logic flaw, insecure method, or missing authorization check), they may be treated as a single issue. Even if a new submission affects a different endpoint or page, it may be closed as a duplicate if the vulnerability stems from an already-known root cause.
   ‍
   We acknowledge that these types of submissions may still provide audit value or highlight gaps in coverage, but unless they introduce materially different impact, bypass existing fixes, or expose previously unknown attack surfaces, they are not eligible for reward.
   
   
3. Previously Identified or Accepted Risks
   Some vulnerabilities may have been discovered internally, through third-party audits, or during prior reports. These may be in progress for remediation or may be documented as known issues with compensating controls. In these cases, we reserve the right to close the report as “informational” or “not applicable.”
   ‍
   We recognize the effort involved in these reports and appreciate the broader visibility they can provide. If you have questions about whether your finding constitutes a novel issue, feel free to reach out before submission.

‍

AI

We understand that researchers may leverage AI tools to assist with report writing, scanning, or vulnerability discovery. While AI can be a helpful aid, all reports must still meet the same bar for accuracy, originality, and actionable detail. Reports that appear copy & pasted, low effort, or contain exaggerated issues will be closed as invalid or N/A.

We encourage the thoughtful use of AI but expect researchers to validate and contextualize their findings before submission. Regardless of the tools used, researchers are ultimately responsible for the quality and correctness of their reports.

Testing

• Do not attempt to:
  • View, modify, or damage data belonging to others.
    • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
    • If you inadvertently access another person's data or Homebase company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or Homebase company data and notify Homebase what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system.
  • Disclose reported vulnerabilities until Homebase has addressed them.
  • Gain unauthorized access to another user’s account or data.
  • Exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your own account, a test account, or another account for which you have the explicit written consent of the account owner to test.
• Do the following:
  • Append your contact email address Configure your testing tool to use a custom User-Agent value before testing.

Scope 

Testing is only allowed on the targets listed as In-Scope. Any Homebase domain or property not listed, including subdomains, is out of scope. If you find a vulnerability on an out-of-scope target that belongs to Homebase, you can report it, and we’ll appreciate it—but it will be marked as "not applicable" and won't qualify for rewards or points.

In-Scope

The following systems and repositories are in scope for testing:

• app.joinhomebase.com and all of its subdomain
• iOS App (Homebase Staff Scheduling App)
• Android App (Employee Schedule & Time Clock)

Out of Scope

The following are considered out of scope for this program:

• joinhomebase.com
• Other subdomains of Homebase
• Social engineering against Homebase staff
• Third Party Websites
  • Homebase services hosted in less common domains may be operated by our vendors or partners. We cannot authorize you to test these systems on behalf of their owners and will not reward such reports. Bug hunters will need to examine domain and IP WHOIS records to confirm ownership.

Safe Harbor Policy

When conducting vulnerability research under this policy, we consider your actions to be:

• Authorized under the Computer Fraud and Abuse Act (CFAA) and similar state laws. We will not pursue or support legal action against you for accidental, good-faith policy violations.
• Exempt from the Digital Millennium Copyright Act (DMCA). We will not claim you violated technology control rules.
• Exempt from restrictions in our Terms & Conditions that could block security research. We waive these limits for work done under this policy.
• Lawful and beneficial to improving Internet security, as long as it’s done in good faith.

Please always follow applicable laws. If you’re unsure whether your research aligns with this policy, contact us at security@joinhomebase.com before proceeding.