Skip to main content

Plane Security Response

Our commitment

At Plane, security is a core value. We appreciate security researchers who help us maintain high standards for our users’ security and privacy through responsible vulnerability research and disclosure.

Reporting a vulnerability

Submit vulnerability reports via email to security@plane.com.

What we promise

When you report a valid security issue:
  • We will respond within 3 business days with an initial assessment.
  • We will handle your report with strict confidentiality.
  • We will keep you informed about our progress resolving the issue.
  • We will not take legal action against researchers who follow this policy.
  • We will recognize your contribution if you wish.

In-scope vulnerabilities

We’re primarily interested in high and medium severity issues that affect the security of our users’ data or our systems:
  • Remote code execution
  • SQL injection
  • Authentication or authorization flaws
  • Server-side request forgery
  • Significant business logic vulnerabilities
  • Serious cross-site scripting (XSS)
  • Cross-site request forgery with significant impact
  • Substantial permission model bypasses
  • Sensitive data exposure

Out-of-scope issues

The following issues are considered out of scope for our program.

General issues

  • Theoretical vulnerabilities without proof of exploitation
  • Reports from automated scanners without manual verification
  • Best-practice concerns without evidence of a security vulnerability
  • UI/UX bugs and spelling mistakes
  • Broken links (dead links)
  • Banner disclosure on common or public services
  • Reports of spam
  • Username or email address enumeration
  • Open ports without a vulnerability

Authentication and session management

  • Password and account recovery policies, such as reset-link expiration or password complexity
  • Existing sessions not being invalidated when 2FA is enabled
  • Enabling 2FA without verifying the email address
  • The presence of application or web browser autocomplete or save-password functionality

Request handling and input validation

  • Cross-site request forgery (CSRF) on unauthenticated forms
  • Logout CSRF
  • Self-XSS requiring user interaction
  • Reflected file download (RFD)
  • Unrestricted file upload without a clear attack scenario or proof of concept
  • Hyperlink injection in emails
  • Content spoofing and text injection without the ability to modify HTML or CSS
  • Rate-limiting or brute-force issues

Headers and configuration

  • Missing security headers not related to a vulnerability
  • HTTP security header configuration suggestions without a proven exploit
  • Missing DNSSEC, CAA, or CSP headers
  • Lack of Secure or HTTPOnly flags on non-sensitive cookies
  • HSTS header issues
  • Insecure SSL/TLS ciphers without a working proof of concept

Infrastructure issues

  • Disclosure of known public files or directories, such as robots.txt
  • Host header injection without demonstrated exploitation
  • HTTP 404 pages or other HTTP error pages
  • Attacks requiring a man-in-the-middle (MITM) position
  • Issues related to DNS or email security, including SPF, DKIM, or DMARC configuration
  • EXIF information not stripped from uploaded images

Denial of service

  • Any activity that could lead to disruption of our service (DoS)
  • DoS targeting other users on the same account
  • DoS based on submitting large payloads or unlimited field lengths
  • DoS based on a lack of pagination

Device-specific issues

  • Issues requiring physical or console access to a user’s device
  • Mobile application issues only exploitable on rooted or jailbroken devices
  • Vulnerabilities only affecting outdated or unpatched browsers or platforms
  • JavaScript code executed from a PDF within the browser’s PDF viewer

Race conditions

  • Race conditions that do not compromise security or only bypass plan limits

Testing guidelines

When conducting security research:
  • Only test on accounts you own.
  • Do not access, modify, or store data unnecessarily.
  • Stop testing and report immediately if you encounter sensitive data.
  • Do not use automated scanners against our production systems.
  • Do not disrupt our services or user experience.
  • Report vulnerabilities promptly after discovery.

Safe harbor

Security researchers who follow this policy when conducting vulnerability research are:
  • Considered to be acting in good faith.
  • Exempt from restrictions in our Terms of Service that would prohibit testing.
  • Protected from legal action by Plane related to their research.
If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Disclosure policy

We follow a coordinated disclosure model:
  • Do not disclose vulnerability details publicly until we’ve addressed the issue.
  • We aim to resolve critical issues within 90 days of verification.
  • If you want to publish your findings after remediation, please coordinate with us.

Rewards

Plane may provide rewards to researchers who submit original, in-scope vulnerabilities of medium severity or higher. We do not currently offer monetary rewards for low-severity vulnerabilities. Each report is assessed based on criticality, impact, and risk to our customers and our company: We award vulnerability reports at our discretion. To be eligible for a bounty, your submission must be accepted as in scope and valid. We use these guidelines to determine the validity of reports:
  • Our engineers must be able to reproduce the reported vulnerability.
  • If we receive multiple reports of the same vulnerability, the first clear, reproducible report will be awarded.
  • You are solely responsible for any applicable taxes, transaction fees, or other withholdings that arise from or relate to your participation in this program.
  • Reports from individuals we are prohibited by law from paying are ineligible for awards.