Plane Security Response
Our commitment
At Plane, security is a core value. We appreciate security researchers who help us maintain high standards for our users’ security and privacy through responsible vulnerability research and disclosure.Reporting a vulnerability
Submit vulnerability reports via email to security@plane.com.What we promise
When you report a valid security issue:- We will respond within 3 business days with an initial assessment.
- We will handle your report with strict confidentiality.
- We will keep you informed about our progress resolving the issue.
- We will not take legal action against researchers who follow this policy.
- We will recognize your contribution if you wish.
In-scope vulnerabilities
We’re primarily interested in high and medium severity issues that affect the security of our users’ data or our systems:- Remote code execution
- SQL injection
- Authentication or authorization flaws
- Server-side request forgery
- Significant business logic vulnerabilities
- Serious cross-site scripting (XSS)
- Cross-site request forgery with significant impact
- Substantial permission model bypasses
- Sensitive data exposure
Out-of-scope issues
The following issues are considered out of scope for our program.General issues
- Theoretical vulnerabilities without proof of exploitation
- Reports from automated scanners without manual verification
- Best-practice concerns without evidence of a security vulnerability
- UI/UX bugs and spelling mistakes
- Broken links (dead links)
- Banner disclosure on common or public services
- Reports of spam
- Username or email address enumeration
- Open ports without a vulnerability
Authentication and session management
- Password and account recovery policies, such as reset-link expiration or password complexity
- Existing sessions not being invalidated when 2FA is enabled
- Enabling 2FA without verifying the email address
- The presence of application or web browser autocomplete or save-password functionality
Request handling and input validation
- Cross-site request forgery (CSRF) on unauthenticated forms
- Logout CSRF
- Self-XSS requiring user interaction
- Reflected file download (RFD)
- Unrestricted file upload without a clear attack scenario or proof of concept
- Hyperlink injection in emails
- Content spoofing and text injection without the ability to modify HTML or CSS
- Rate-limiting or brute-force issues
Headers and configuration
- Missing security headers not related to a vulnerability
- HTTP security header configuration suggestions without a proven exploit
- Missing DNSSEC, CAA, or CSP headers
- Lack of Secure or HTTPOnly flags on non-sensitive cookies
- HSTS header issues
- Insecure SSL/TLS ciphers without a working proof of concept
Infrastructure issues
- Disclosure of known public files or directories, such as
robots.txt - Host header injection without demonstrated exploitation
- HTTP 404 pages or other HTTP error pages
- Attacks requiring a man-in-the-middle (MITM) position
- Issues related to DNS or email security, including SPF, DKIM, or DMARC configuration
- EXIF information not stripped from uploaded images
Denial of service
- Any activity that could lead to disruption of our service (DoS)
- DoS targeting other users on the same account
- DoS based on submitting large payloads or unlimited field lengths
- DoS based on a lack of pagination
Device-specific issues
- Issues requiring physical or console access to a user’s device
- Mobile application issues only exploitable on rooted or jailbroken devices
- Vulnerabilities only affecting outdated or unpatched browsers or platforms
- JavaScript code executed from a PDF within the browser’s PDF viewer
Race conditions
- Race conditions that do not compromise security or only bypass plan limits
Testing guidelines
When conducting security research:- Only test on accounts you own.
- Do not access, modify, or store data unnecessarily.
- Stop testing and report immediately if you encounter sensitive data.
- Do not use automated scanners against our production systems.
- Do not disrupt our services or user experience.
- Report vulnerabilities promptly after discovery.
Safe harbor
Security researchers who follow this policy when conducting vulnerability research are:- Considered to be acting in good faith.
- Exempt from restrictions in our Terms of Service that would prohibit testing.
- Protected from legal action by Plane related to their research.
Disclosure policy
We follow a coordinated disclosure model:- Do not disclose vulnerability details publicly until we’ve addressed the issue.
- We aim to resolve critical issues within 90 days of verification.
- If you want to publish your findings after remediation, please coordinate with us.
Rewards
Plane may provide rewards to researchers who submit original, in-scope vulnerabilities of medium severity or higher. We do not currently offer monetary rewards for low-severity vulnerabilities. Each report is assessed based on criticality, impact, and risk to our customers and our company:
We award vulnerability reports at our discretion. To be eligible for a bounty,
your submission must be accepted as in scope and valid.
We use these guidelines to determine the validity of reports:
- Our engineers must be able to reproduce the reported vulnerability.
- If we receive multiple reports of the same vulnerability, the first clear, reproducible report will be awarded.
- You are solely responsible for any applicable taxes, transaction fees, or other withholdings that arise from or relate to your participation in this program.
- Reports from individuals we are prohibited by law from paying are ineligible for awards.