AWeber Responsible Disclosure Program
AWeber values independent Security Researchers to improve the security of our service. AWeber encourages the security community to report any issue to us directly and not to the public. We wish to foster cooperation within the security community. The following policy reflects our program rules. This program is subject to change at any time.
Scope of Qualifying Issues
The following issues, at AWeber’s discretion, on the production https://aweber.com/* domain.
- Broken Authentication
- Sensitive Data Exposure
- Broken Access Control
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using non-essential third-party components with known critical vulnerabilities
- The reporter of the issue must be the one that discovered the issue (no third-parties)
- The reporter must provide adequate time for issue response from AWeber and not disclose anything about the issue publicly until AWeber has acknowledged resolution or a final status
- The reporter must not modify or access data or code that they do not own
- The reporter must not exploit any issue to cause damage to AWeber systems
Non-Qualifying issues are at AWeber’s discretion including, but not limited to, the following:
- Issues in third party provided systems, data, and tools
- Output from automated off the shelf security scanning tools (for example, Qualys, BurpSuite)
- Generic vulnerability reports not explicitly pertaining to the aweber.com domain
- Issues resulting from out-of-date browser specific usage
- Simple, not-XSS content injection or URL redirection
- Cookie flags
- Logout cross-site request forgery
- Sending of spam
- Fraud-related activity or Account disputes
- Social Engineering or Physical Testing of AWeber facilities
- Denial of Service Attempts
- Functionality, UX, and UI defects that do not create a security threat
- Duplicate reports of issues previously reported by another researcher
- Duplicate reports of the same type of vulnerability on multiple pages or fields (for example, Stored XSS that executes from multiple fields)
- Best practices or additional hardening where there are already mitigating controls in place sufficient to reasonably protect AWeber users
- Issues on any of our Blogs: blog.aweber.com, videos.aweber.com
Reporting an issue
Send an email to firstname.lastname@example.org with the following information.
Incomplete or inaccurate reports that cannot be replicated will be deemed ineligible for any reward and may not receive a response.
- Summary of the issue
- URL(s) or location of issue
- Description and Details
- What is the issue
- What is the impact
- Replication steps
- Proof of Concept
- Trace Dump / HTTP Request
- Any additional info
- Attachments or Links of screenshots or other images
- Your name, email, and other contact information
What is done with my report?
Each report will be evaluated as they are submitted for legitimacy. AWeber will prioritize correcting all legitimate issues identified based on criticality. Please allow sufficient time for review which may take a few weeks to complete. In addition, please allow sufficient time for resolution of any issues as resolution timeframes are based on criticality and complexity. If your report is the first instance of a unique issue, we will contact you within a reasonable amount of time to let you know if you are eligible for a reward.
AWeber will not pursue legal action against individuals who follow all program rules where research is conducted in good faith with no impact to AWeber or its customers, partners, or advocates.
By submitting a report, you consent to provide your personal data to AWeber to contact you to clarify claims in your report and for facilitating any reward distribution.
For any qualifying confirmed issue, AWeber will compensate you with swag or monetary rewards.
Rewards will be commensurate with vulnerability criticality.
AWeber will determine the reward value at our sole discretion and all decisions are final.
Rewards will be paid only after issues are resolved fully and a solution is in place in our production environment.
- This program is not open to minors, individuals on sanctions lists, individuals in countries on sanctions lists, or AWeber employees.
- You are responsible for any tax implications or additional restrictions depending on your country and local law.
- All payments will be made in US Dollars (USD) via mailed check within the US or PayPal. Swag can only be shipped to a US address.
- We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at AWeber’s discretion.
- AWeber will not negotiate any rewards if put under duress.
- You must not violate any local, national, or international law in the course of your research.
- You must not disrupt any AWeber service or compromise any AWeber customer data which includes moving beyond a "proof-of-concept" for issue reproduction.