DroneDeploy Vulnerability Disclosure Policy

Overview

DroneDeploy is committed to maintaining the security and privacy of our systems and our users' data. We welcome and encourage security researchers to help us identify vulnerabilities in our systems through responsible disclosure. This policy outlines the terms under which security research may be conducted on DroneDeploy systems and how to report any discovered vulnerabilities.

Scope

This vulnerability disclosure policy applies to the following DroneDeploy systems and services:

In-Scope Systems

• DroneDeploy web applications (*.dronedeploy.com) except for:
  • help.dronedeploy.com
  • insider.dronedeploy.com
  • academy.dronedeploy.com
  • docs-automate.dronedeploy.com
  • developer.dronedeploy.com 
• DroneDeploy mobile applications (iOS and Android)
• DroneDeploy API endpoints
• DroneDeploy developer portals and documentation sites
• DroneDeploy public-facing infrastructure and services

Out-of-Scope Systems

The following are explicitly NOT covered under this policy:

• Third-party services and integrations not owned by DroneDeploy
• Social engineering attacks against DroneDeploy employees or contractors
• Physical attacks against DroneDeploy facilities or personnel
• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
• Testing against production systems that could impact service availability
• Any testing involving customer data or accounts other than your own
• Attacks requiring access to privileged accounts or insider access

Out-of-Scope Items

The following items are not eligible for a bug bounty under this policy:

• Cookies missing security flags
• Missing additional security controls, such as HSTS or CSP headers
• Breaking of SSL/TLS trust (unless you can provide a working PoC)
• Additional missing security controls often considered “Best practice”, such as certificate pinning or mitigating information disclosures
• Missing CAA records
• Missing DNSSEC
• Duplicate vulnerability disclosures

Safe Harbor

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized and DroneDeploy will:

• Not pursue legal action against you for your research activities
• Work with you to understand and resolve the issue quickly
• Consider your research activities as authorized conduct under this policy
• Not recommend or pursue legal action related to your research

Responsible Testing Guidelines

When conducting security research on DroneDeploy systems, you must:

• Respect Privacy: Avoid accessing, modifying, or deleting data that does not belong to you
• Minimize Impact: Avoid disruption to production systems and services
• Use Test Accounts: Limit testing to accounts you own or have explicit permission to test
• Avoid Social Engineering: Do not engage in social engineering attacks against DroneDeploy employees
• Follow Laws: Ensure your research activities comply with applicable laws and regulations
• Act in Good Faith: Conduct research with the genuine intent of improving security

Reporting Process

How to Report

To report a vulnerability, please send an email to: security@dronedeploy.com

Please use a clear and descriptive subject line that summarizes the vulnerability (e.g., "SQL Injection in User Profile API" or "XSS in Dashboard Comments Section").

Required Information

Please include the following information in your vulnerability report:

1. Vulnerability Description: A clear description of the vulnerability and its potential impact
2. Affected Systems: Specific URLs, API endpoints, or systems affected
3. Steps to Reproduce: Detailed, step-by-step instructions to reproduce the vulnerability
4. Proof of Concept: Evidence demonstrating the vulnerability (screenshots, logs, etc.)
5. Business Impact Assessment: Clear explanation of:
   • How the vulnerability could be exploited in a real-world scenario
   • What business consequences could result (data breach, financial loss, service disruption, reputational damage)
   • Who could be affected (customers, employees, company)
   • The realistic likelihood of exploitation
6. Technical Details: Any relevant technical information such as:
   • Request/response data
   • Source code snippets
   • Configuration details
7. Severity Assessment: Your assessment of the vulnerability's severity and potential impact
8. Contact Information: How we can reach you for follow-up questions
9. PayPal Email: Valid PayPal email address if you wish to be considered for financial compensation

What NOT to Include

• Customer Data: Do not include any customer data or personally identifiable information
• Credentials: Do not include passwords, API keys, or other sensitive credentials
• Destructive Proof: Do not perform destructive actions to prove the vulnerability

Severity Classification

We assess vulnerabilities using the following severity framework:

• Critical: Complete system compromise, unauthorized access to highly sensitive data, or widespread customer impact
• High: Unauthorized access to sensitive data, significant privilege escalation, or authentication bypass
• Medium: Limited unauthorized data access, denial of service, or moderate impact vulnerabilities
• Low: Information disclosure, minor security misconfigurations, or low-impact findings
• Negligible: Theoretical vulnerabilities with minimal practical exploitation path

Our Response Commitment

DroneDeploy commits to:

• Initial Acknowledgment: Acknowledge receipt of your report within 3-5 business days
• Regular Updates: Provide status updates on the vulnerability remediation process
• Compensation Evaluation: Evaluate eligible reports for potential financial compensation
• Status Update Policy: We will provide updates when we have them, and we generally do not respond to status update requests

Coordinated Disclosure Timeline

We request that you provide DroneDeploy with at least 90 calendar days from the date of acknowledgment before publicly disclosing any vulnerability details. This coordinated disclosure period allows us adequate time to:

• Investigate and validate the reported vulnerability
• Develop and test appropriate fixes
• Deploy remediation measures across affected systems
• Coordinate with any affected third parties if necessary

If you believe an issue poses an imminent threat to users, please highlight this in your initial report so we can prioritize accordingly.

Compensation Policy

Financial Compensation

DroneDeploy offers financial compensation for valid, exploitable vulnerability reports based on the criteria outlined below. We are specifically looking for vulnerabilities that have demonstrable business impact and can be exploited in a real-world scenario.

Eligible Vulnerabilities:

• Exploitable vulnerabilities with demonstrable business impact
• Vulnerabilities that could lead to unauthorized access to sensitive data
• Vulnerabilities that could compromise system integrity or availability
• Vulnerabilities that could result in privilege escalation or authentication bypass

Non-Eligible Vulnerabilities:

• Sandboxed vulnerabilities with no business impact
• Theoretical vulnerabilities without practical exploitation paths
• Vulnerabilities that require extensive user interaction or social engineering
• Low-impact informational findings

Compensation factors include:

• Severity and demonstrable business impact of the vulnerability
• Quality and completeness of the vulnerability report and proof of concept
• Ease of exploitation and realistic attack scenarios
• Novelty of the vulnerability and attack vector

Compensation Range:

• Valid, exploitable vulnerabilities may receive compensation up to $500
• Payout amounts are determined based on severity, impact, and whether infrastructure or code changes are required for remediation
• Most payouts fall in the $50-$200 range for typical findings

Payment Process

• Payment Method: All compensation is paid exclusively via PayPal
• PayPal Requirement: A valid PayPal email address is required to receive any payout
• Payment Timeline: Payments are typically processed within 30 days of our determination to remediate the vulnerability (not completion of remediation)
• Payment Discretion: All compensation amounts are determined solely at DroneDeploy's discretion
• Payout Determination:
  • Compensation is provided when DroneDeploy makes infrastructure or code changes to remediate the vulnerability
  • If we accept the risk without making changes, the finding is not eligible for payout
  • This ensures we reward actionable findings that improve our security posture

Duplicate Reports

Vulnerabilities that have already been reported by other researchers are not eligible for compensation. We will notify you within 5 business days if your report is a duplicate.

Legal Considerations

Authorization

This policy provides authorization only for security research activities that comply with all terms outlined herein. Any activities outside the scope of this policy are not authorized.

Compliance with Laws

You are responsible for ensuring that your research activities comply with all applicable local, state, federal, and international laws and regulations.

Program Discretion

All decisions regarding bounty payments, including eligibility, reward amounts, and the interpretation of these Bug Bounty Policy terms, are at the sole discretion of DroneDeploy. This includes the discretion to decide not to pay a bounty for any reason. All decisions made by DroneDeploy are final and binding.

Intellectual Property

By submitting a vulnerability report ("Submission") to DroneDeploy, you grant DroneDeploy a worldwide, royalty-free, non-exclusive, perpetual, and irrevocable license to use, reproduce, modify, and otherwise exploit your Submission for any purpose. You acknowledge and agree that your Submission does not grant you any rights to or in the DroneDeploy platform or any other DroneDeploy intellectual property. You hereby expressly disclaim and waive any and all claims to any intellectual property rights in your Submission or in any new intellectual property developed by DroneDeploy based on your Submission. You represent and warrant that you have the right to grant the foregoing license and that your Submission does not violate the intellectual property rights of any third party.

Limitation of Scope

This policy does not create any legal rights beyond those specifically outlined herein, and DroneDeploy reserves the right to modify this policy at any time.

Questions and Contact

If you have questions about this vulnerability disclosure policy or need clarification on any aspect of the responsible disclosure process, please use the same contact information provided in the Reporting Process section above.

Policy Updates

This vulnerability disclosure policy may be updated from time to time. The most current version will always be available at https://help.dronedeploy.com/hc/en-us/articles/1500004862001-Vulnerability-Reporting-Policy.