Rewind Vulnerability Disclosure Policy

Keeping user information safe and secure is a top priority and a core company value for us at Rewind. If you have found a vulnerability with any of our in-scope assets, we encourage you to report it to us.

Assets In Scope

Automated vulnerability scans using tools such as Burp Scanner or Intruder, WPScan, Netsparker, etc. are strictly prohibited.

Our Rewind, Replay and Backhub applications and public API are in scope:

  • app.rewind.com
  • api.rewind.com
  • app.replay.sh
  • n.rewind.com
  • eu.rewind.com

Subdomain takeover vulnerabilities found under our domains are in scope. All other vulnerabilities related to subdomains/assets not listed above are out of scope.

  • *.rewind.com
  • *.replay.sh
  • *.rewind.io

Assets Out of Scope

Any assets hosted by 3rd parties (and hence CNAME’ed) are out of scope: status.rewind.com, help.rewind.com, 365.rewind.com, partners.rewind.com, etc.

Our marketing websites are out of scope: rewind.com and www.rewind.com.

If vulnerabilities are discovered in 3rd party assets, they should be reported directly to the 3rd party.

Out of Scope Vulnerabilities and Activities

The following vulnerabilities and activities are outside the scope of our VDP program.

Denial of Service

  • Denial of service, rate-limiting attacks or other forms of resource exhaustion

Physical or Social Engineering

  • Social engineering of Rewind employees or contractors
  • Social engineering attacks against customers without a technical component
  • Physical attempts against Rewind property
  • Attacks requiring physical access to a user’s device

Information Disclosure of Non-Sensitive Data

  • Missing cookie flags on non-sensitive cookies.
  • Descriptive error messages, such as stack traces or application and server errors, unless they include customer or business data
  • IP/Port Scanning via Rewind services unless you are able to hit private IPs or Rewind servers
  • CORS issues discovered in our marketing websites that do not affect endpoints that reveal sensitive information, such as public posts

Low Or No Impact Vulnerabilities

  • Issues with SPF, DKIM, DMARC records
  • CSRF with minimal impact, such as login/logout CSRF
  • Lack of CSRF tokens without demonstrable impact
  • Missing best practices, such as missing security headers
  • Vulnerabilities and reports from automated scanners without demonstrable impact
  • Clickjacking of pages that do not lead to sensitive actions, such as account modification
  • Content spoofing with minimal impact, such as non-HTML text injection
  • Host header injection without demonstrable impact
  • Insecure SSL/TLS ciphers without demonstrable impact
  • Account policies, such as email verification, password complexity or reset link expiration
  • User enumeration
  • Vulnerabilities affecting out-of-date browsers and platforms
  • Use of libraries with known vulnerabilities without demonstrable impact
  • Use of Rewind for spamming, such as lack of rate limiting for emails
  • Hyperlink injection or any link injection in emails sent by Rewind
  • Response manipulations that are not processed by the server and have no demonstrable impact
  • WordPress (www.rewind.com) or HubSpot CMS (www.rewind.com) issues related to missing best practices, CORS, Denial of Service attacks or disclosure of non-sensitive data
  • Non-sensitive key disclosures (AWS Access Keys in S3 signed URLs, New Relic browser license keys, etc.)

Responsible Disclosure Guidelines

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you: 

  • Contact us in a personal capacity
  • Not be considered a minor where you live or have a signed letter proving your parent or legal guardian’s permission to contact us
  • Must not reside in a country currently on the Canada sanctions list or in a country currently in a U.S. (OFAC) sanction program
  • Create a new account for security research purposes. Add the string ‘rewindvdp’ as an alias to your registered email address, full name or organization name so we can track related requests
  • Do not access, modify or exfiltrate our data or our users’ data. Only interact with your own accounts or test accounts for security research purposes
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Rewind
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
  • Comply with all applicable Federal, Provincial/State, and local laws and regulations in connection with your security research activities and your participation in Rewind’s VDP
  • Please be respectful of our existing applications
  • Give us a reasonable time to respond to the issue before making any information about it public

How to Report to Us

Rewind recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled, or operated by Rewind (or that would reasonably impact the security of Rewind and our users) using the web form below. The Rewind Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution.