At DroneDeploy, we take the protection and security of our customer’s data very seriously.
We recognize the value of independent security researchers and encourage security research on the DroneDeploy platform. We are committed to working with researchers to validate and quickly respond to any vulnerabilities reported to us. We ask that vulnerabilities not be disclosed publicly until we have had a chance to address and validate the issue.
Please use DroneDeploy free or trial accounts for testing and limit your research to your own account. Following items are out of scope:
-
Forum.dronedeploy.com domain is out of scope
-
Social engineering attempts on DroneDeploy personnel or our customers
-
Any other vulnerabilities that involve directly sending email to DroneDeploy email addresses.
-
Missing additional security controls, such as HSTS or CSP headers
-
Cookies missing security flags
-
Breaking of SSL/TLS trust (unless you can provide a working PoC)
-
Accessing or attempting to access data or accounts that does not belong to you;
-
Attempts to modify, destroy, or corrupt data;
-
Brute forcing/ Rate-limiting
-
Executing or attempting to execute a denial of service attack, please refrain from tools that could generate significant traffic;
-
Sending authorized emails or other forms of electronic communication to users;
-
Conducting a physical or electronic attack against DroneDeploy personnel or physical property;
-
Any activity that violates any applicable laws or agreements.
-
Vulnerabilities only affecting users of outdated or unpatched systems
-
Additional missing security controls often considered “Best practice”, such as certificate pinning or mitigating information disclosures.
If you believe you have discovered a security vulnerability issue, please submit the details in a timely manner by sending an email to security@dronedeploy.com. Please provide full details of the incident and the steps to reproduce.