Responsible Disclosure Statement
At Conceptboard, the security of our systems is a top priority. Despite our best efforts, vulnerabilities may still exist. If you discover a vulnerability, we would like to know about it so we can take steps to address it and protect our users and platform.
Our promise
- We will respond to your report within 5 business days with an initial evaluation and expected resolution timeline.
- We will keep you informed of the progress of the remediation.
- We will handle your report confidentially.
- We will not share your personal data with third parties without your consent, unless required by law.
- We will credit you as the discoverer (unless you prefer to remain anonymous).
- Any potential rewards will be evaluated on a case-by-case basis after the issue has been validated. Reward decisions are made at Conceptboard’s discretion and may take into account factors such as the severity, impact, quality of the report, and available program budget.
Safe harbor
If you act in good faith and in accordance with this policy:
- We will not pursue legal action against you.
- We consider your activities to be authorized.
Discloser
We follow a coordinated disclosure process:
- Do not publicly disclose the vulnerability before it has been resolved.
- We may coordinate with you on public disclosure after remediation. Typical disclosure timelines range between 30 and 90 days, depending on severity.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
Bug found? What to do now?
We appreciate your help in improving our security.
Please do the following: Submit your findings by using the following URL.
Do’s and dont’s of being part in our Bug Bounty Program
- Report the vulnerability as quickly as reasonably possible to minimize risk.
- Report in a way that preserves confidentiality and prevents unauthorized access to the information.
- Provide sufficient detail to reproduce the issue (e.g., URLs, endpoints, steps, PoC).
- Act in good faith and avoid privacy violations or disruption of services.
- Do not disclose the vulnerability to others until it has been resolved and disclosure has been agreed.
- Do not exploit the vulnerability beyond what is necessary to prove its existence.
- Do not access, modify, or delete data that does not belong to you.
- Do not make persistent changes to systems.
- Do not use brute force, social engineering, phishing, physical attacks, or denial of service.
- Do not repeatedly access systems or share access with others.
Scope
This Coordinated Vulnerability Disclosure (CVD) policy applies to all Conceptboard systems and services.
Out of scope
The following categories of findings are considered out of scope and are not eligible for bounty rewards.
These categories reflect recurring low-value or non-actionable submissions observed in the Conceptboard Bug Bounty Program.
A. Missing Security Headers
- Missing or misconfigured HTTP security headers, including:
- Content Security Policy (CSP)
- HSTS
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
B. Cookie Attribute Issues
- Missing or weak cookie settings such as:
- Missing Secure, HttpOnly, or SameSite flags
C. Information Disclosure Without Sensitive Data
- Exposure of non-sensitive information, including:
- Server or framework versions
- X-Powered-By headers
- Generic stack traces without sensitive data
- Internal paths or metadata without impact
D. Automated Scanner Results
- Reports generated solely from automated tools without manual validation or demonstrated impact
E. Business Logic Issues Without Impact
- Business logic flaws that do not demonstrate:
- Unauthorized access to data
- Modification of other users’ data
- Integrity compromise
- Abuse at scale
F. Self-XSS
- Cross-Site Scripting that only affects the reporting user and requires self-execution
G. Duplicate Reports
- Reports of already known vulnerabilities listed in Section 13
- Re-submissions without new exploitation techniques or increased impact
- H. Theoretical Attacks
- Vulnerabilities without a working Proof of Concept (PoC)
- Hypothetical or non-reproducible attack scenarios
I. Low-Impact Abuse
- Abuse of functionality that does not lead to:
- Security impactSystem compromise
- Data exposure
J. Rate Limiting Observations Without Exploitation
- Reports of missing rate limiting without demonstrated abuse or impact
K. Previously Defined Exclusions
- DDoS or traffic flooding attacks
- Social engineering and phishing
- Physical security issues
Known Security Issues:
The following list reflects previously reported vulnerabilities and recurring findings within Conceptboard. These examples are provided to clarify what is already known and what requires a strong impact.
Important:
The vulnerabilities listed below remain in scope if a new exploitation technique, bypass, or increased impact is demonstrated.
Confirmed Vulnerability Patterns
Sensitive Access Tokens Exposed in URLs
- /template-ui/account/team?access_token=<JWT>
- /login-redirect?access_token=<JWT>
Impact:
- Account/session takeover
- Administrative access
- Token leakage via logs and analytics
Broken Access Control (Cross-Organization Access)
- Manipulation of the userId in the invitation endpoints
Impact:
- Unauthorized board access
- Cross-tenant data exposure
- Unauthorized modification
Role-Based Access Control Bypass (Guest Privilege Escalation)
- Guest users performing restricted actions
Impact:
- Unauthorized workflow manipulation
CSRF on State-Changing Actions
- /account/profile?resendEmail=true
Impact:
- Email abuse
- Phishing amplification
Missing Rate Limiting (Email Change Flow)
- /account/profile
Impact:
- Email flooding
- Resource abuse
EXIF Metadata Leakage
- Uploaded images expose GPS/device data
Impact:
- Privacy violations
Client-Side Parameter Manipulation
- Vote manipulation → integrity impact
- Input length bypass → DoS
- Template uniqueness bypass → spoofing
Email-Based Injection / Phishing
- User-controlled input reflected in emails
Impact:
- Phishing from trusted domain
Session / Account State Issues
- Email change causing account lockout
Impact:
- Loss of access / takeover scenarios”