Keeping user information safe and secure is a top priority and a core company value for us at Rewind. If you have found a vulnerability with any of our in-scope assets, we encourage you to report it to us. We will work with you to resolve the vulnerability promptly.

We thank everyone for their contributions and reward those who have submitted a valid report with a bounty reward appropriate for the severity of the vulnerability disclosed.

Assets In Scope

Our Rewind, Replay and Backhub applications and public API are in scope:

  • app.rewind.com
  • api.rewind.com
  • app.replay.sh
  • n.backhub.co

Our Rewind and Backhub marketing websites are in scope:

  • www.rewind.com
  • www.backhub.co

Subdomain takeover vulnerabilities found under our domains are in scope. All other vulnerabilities related to subdomains/assets not listed above are out of scope.

  • *.rewind.com
  • *.replay.sh
  • *.backhub.co

We will review all reports submitted and validate their respective findings at our discretion.

Assets Out of Scope

Any assets hosted by 3rd parties (and hence CNAME’ed) are out of scope: status.rewind.com, help.rewind.com, 365.rewind.com, etc.

We will review all reports submitted and validate their respective findings at our discretion.

Bounty Rewards

We categorize valid vulnerabilities using Bugcrowd’s Vulnerability Rating Taxonomy and assign bounty rewards per vulnerability as follows:

  • P5 – Swag only, no monetary reward
  • P4 – $200
  • P3 – $750
  • P2 – $2000
  • P1 – $5000

All reward amounts are paid in Canadian dollars and payment is made via PayPal or bank wire transfer only. You are responsible for any tax implications resulting from payment.

Depending on the circumstances, multiple submissions from the same researcher that are categorically similar may be deemed one vulnerability in Rewind’s sole discretion.

Out of Scope Vulnerabilities and Activities

The following vulnerabilities and activities are outside the scope of our VDP program and are not eligible for submission:

Denial of Service

  • Denial of service, rate-limiting attacks or other forms of resource exhaustion

Physical or Social Engineering

  • Social engineering of Rewind employees or contractors
  • Physical attempts against Rewind property
  • Attacks requiring physical access to a user’s device

Information Disclosure of Non-Sensitive Data

  • Missing cookie flags on non-sensitive cookies.
  • Descriptive error messages, such as stack traces or application and server errors, unless they include customer or business data
  • IP/Port Scanning via Rewind services unless you are able to hit private IPs or Rewind servers.

Low Impact Vulnerabilities

  • Issues with SPF and DMARC records
  • CSRF with minimal impact, such as login/logout CSRF
  • Lack of CSRF tokens without demonstrable impact
  • Missing best practices, such as missing security headers
  • Reports from automated scanners without demonstrable impact
  • Clickjacking of pages that do not lead to sensitive actions, such as account modification
  • Content spoofing with minimal impact, such as non-HTML text injection
  • Host header injection without demonstrable impact
  • Insecure SSL/TLS ciphers without demonstrable impact
  • Account policies, such as email verification, password complexity or reset link expiration
  • User enumeration
  • Vulnerabilities affecting out-of-date browsers and platforms
  • Use of libraries with known vulnerabilities without demonstrable impact
  • Use of Rewind for spamming, such as lack of rate limiting for emails
  • Hyperlink injection or any link injection in emails sent by Rewind

Responsible Disclosure Guidelines

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you: 

  • Contact us in a personal capacity
  • Not be considered a minor where you live or have a signed letter proving your parent or legal guardian’s permission to contact us
  • Must not reside in a country currently on the Canada sanctions list or in a country currently in a U.S. (OFAC) sanction program
  • Create a new account for security research purposes. Add the string ‘rewindvdp’ as an alias to your registered email address, full name or organization name so we can track related requests
  • Do not access, modify or exfiltrate our data or our users’ data. Only interact with your own accounts or test accounts for security research purposes
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Rewind
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
  • Comply with all applicable Federal, Provincial/State, and local laws and regulations in connection with your security research activities and your participation in Rewind’s VDP
  • Please be respectful of our existing applications
  • Give us a reasonable time to respond to the issue before making any information about it public

How to Report to Us

If you have found a vulnerability in our in scope assets, please send your report to security@rewind.com using our PGP key to prevent this critical information from falling into the wrong hands.

In your email please include the following:

  • Your name and contact information
  • Summary of the vulnerability
  • Description of the vulnerability
  • The type of vulnerability
  • Detailed steps to reproduce
  • URLs/targets that were tested

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the applicable laws. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Rewind’s VDP, Rewind will take steps to make it known that your actions were conducted in compliance with this policy.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Rewind reserves the right to modify the rules, benefits, conditions of participation, qualification criteria or bounty rewards for this VDP at any time.

This VDP shall be governed by the laws of the province of Ontario and the law of Canada applicable therein, and shall be subject to the exclusive jurisdiction of the courts of the Province of Ontario, in the city of Ottawa, Ontario.