> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security response policy

# Plane Security Response

## Our commitment

At Plane, security is a core value. We appreciate security researchers who help
us maintain high standards for our users' security and privacy through
responsible vulnerability research and disclosure.

## Reporting a vulnerability

Submit vulnerability reports via email to
[security@plane.com](mailto:security@plane.com).

## What we promise

When you report a valid security issue:

* We will respond within 3 business days with an initial assessment.
* We will handle your report with strict confidentiality.
* We will keep you informed about our progress resolving the issue.
* We will not take legal action against researchers who follow this policy.
* We will recognize your contribution if you wish.

## In-scope vulnerabilities

We're primarily interested in high and medium severity issues that affect the
security of our users' data or our systems:

* Remote code execution
* SQL injection
* Authentication or authorization flaws
* Server-side request forgery
* Significant business logic vulnerabilities
* Serious cross-site scripting (XSS)
* Cross-site request forgery with significant impact
* Substantial permission model bypasses
* Sensitive data exposure

## Out-of-scope issues

The following issues are considered out of scope for our program.

### General issues

* Theoretical vulnerabilities without proof of exploitation
* Reports from automated scanners without manual verification
* Best-practice concerns without evidence of a security vulnerability
* UI/UX bugs and spelling mistakes
* Broken links (dead links)
* Banner disclosure on common or public services
* Reports of spam
* Username or email address enumeration
* Open ports without a vulnerability

### Authentication and session management

* Password and account recovery policies, such as reset-link expiration or
  password complexity
* Existing sessions not being invalidated when 2FA is enabled
* Enabling 2FA without verifying the email address
* The presence of application or web browser autocomplete or save-password
  functionality

### Request handling and input validation

* Cross-site request forgery (CSRF) on unauthenticated forms
* Logout CSRF
* Self-XSS requiring user interaction
* Reflected file download (RFD)
* Unrestricted file upload without a clear attack scenario or proof of concept
* Hyperlink injection in emails
* Content spoofing and text injection without the ability to modify HTML or CSS
* Rate-limiting or brute-force issues

### Headers and configuration

* Missing security headers not related to a vulnerability
* HTTP security header configuration suggestions without a proven exploit
* Missing DNSSEC, CAA, or CSP headers
* Lack of Secure or HTTPOnly flags on non-sensitive cookies
* HSTS header issues
* Insecure SSL/TLS ciphers without a working proof of concept

### Infrastructure issues

* Disclosure of known public files or directories, such as `robots.txt`
* Host header injection without demonstrated exploitation
* HTTP 404 pages or other HTTP error pages
* Attacks requiring a man-in-the-middle (MITM) position
* Issues related to DNS or email security, including SPF, DKIM, or DMARC
  configuration
* EXIF information not stripped from uploaded images

### Denial of service

* Any activity that could lead to disruption of our service (DoS)
* DoS targeting other users on the same account
* DoS based on submitting large payloads or unlimited field lengths
* DoS based on a lack of pagination

### Device-specific issues

* Issues requiring physical or console access to a user's device
* Mobile application issues only exploitable on rooted or jailbroken devices
* Vulnerabilities only affecting outdated or unpatched browsers or platforms
* JavaScript code executed from a PDF within the browser's PDF viewer

### Race conditions

* Race conditions that do not compromise security or only bypass plan limits

## Testing guidelines

When conducting security research:

* Only test on accounts you own.
* Do not access, modify, or store data unnecessarily.
* Stop testing and report immediately if you encounter sensitive data.
* Do not use automated scanners against our production systems.
* Do not disrupt our services or user experience.
* Report vulnerabilities promptly after discovery.

## Safe harbor

Security researchers who follow this policy when conducting vulnerability
research are:

* Considered to be acting in good faith.
* Exempt from restrictions in our Terms of Service that would prohibit
  testing.
* Protected from legal action by Plane related to their research.

If legal action is initiated by a third party against you for activities that
were conducted in accordance with this policy, we will make this authorization
known.

## Disclosure policy

We follow a coordinated disclosure model:

* Do not disclose vulnerability details publicly until we've addressed the
  issue.
* We aim to resolve critical issues within 90 days of verification.
* If you want to publish your findings after remediation, please coordinate
  with us.

## Rewards

Plane may provide rewards to researchers who submit original, in-scope
vulnerabilities of medium severity or higher.

We do not currently offer monetary rewards for low-severity vulnerabilities.

Each report is assessed based on criticality, impact, and risk to our customers
and our company:

| Severity | Impact                                                             | Examples                                                                                                       |  Reward |
| -------- | ------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------- | ------: |
| Critical | Systemic compromise                                                | XXE injection and SQL injection with significant impact; remote code execution; vertical authentication bypass | \$1,500 |
| High     | Full access to another user's private data                         | IDOR, stored XSS, and CSRF with significant impact; internal SSRF; lateral authentication bypass               |   \$900 |
| Medium   | Limited access to another user's private data                      | IDOR, reflected XSS, and CSRF with impact                                                                      |   \$300 |
| Low      | Configuration issues and other vulnerabilities with limited impact | SSL misconfigurations; XSS and CSRF with limited impact                                                        |    None |

We award vulnerability reports at our discretion. To be eligible for a bounty,
your submission must be accepted as in scope and valid.

We use these guidelines to determine the validity of reports:

* Our engineers must be able to reproduce the reported vulnerability.
* If we receive multiple reports of the same vulnerability, the first clear,
  reproducible report will be awarded.
* You are solely responsible for any applicable taxes, transaction fees, or
  other withholdings that arise from or relate to your participation in this
  program.
* Reports from individuals we are prohibited by law from paying are ineligible
  for awards.
