Vulnerability Disclosure Program

The Sanity Vulnerability Disclosure Program (VDP) is intended to provide a clear process for security researchers and members of the public to responsibly report security vulnerabilities they discover in Sanity's systems, applications, or services as outlined in the scope below..

By participating in this program, researchers agree to comply with these rules as well as the our privacy policy and applicable laws.

Scope

The scope of the Sanity VDP includes:

• Sanity management interfaces:

  • https://manage.sanity.io
  • https://www.sanity.io
• Sanity APIs

  • https://api.sanity.io
  • https://apicdn.sanity.io

The program covers security vulnerabilities discovered in Sanity's systems and software. It does not include vulnerabilities in third-party services or software used by Sanity unless they lead to a vulnerability in Sanity's systems.

Researchers should only test against their own accounts and data or test accounts and data. Testing should not disrupt or compromise any Sanity customer data.

Sanity will not fund or reimburse fees or subscription costs attached to research.

Qualifying Vulnerabilities

We will actively review all vulnerabilities which are reported to us, however, the below findings should be considered explicitly out of scope.

Excluded scope

• Denial of Service (DoS) attacks
• Resource exhaustion attacks
• Rate limiting issues
• Brute force attacks on login or forgot password pages
• Account lockout not enforced
• Disclosure of internal IP addresses, or versions, or names of software
• Issues related to cross-domain policies without evidence of exploitability
• Username/email enumeration via login, pending invitations, forgot password, or registration error messages
• Cookie validation and expiration issues
• Weak ciphers used by TLS, or TLS versions prior to 1.3
• Static content over HTTP
• Open ports
• Overly shared storage buckets without demonstration of impact
• Any form of social engineering/phishing against Sanity staff or customers
• Vulnerability reports that require a large amount of "target users" interactions to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability

Rewards

Sanity's bug bounty pilot has now closed. We are not currently offering any monetary rewards, swag, or platform credits for vulnerability disclosures.

Reporting Bugs

If you wish to responsibly disclose a vulnerability to Sanity, we strongly prefer that you make use of the OpenSSF vulnerability reporting template to write your report.

You should send your report to security@sanity.io. Should you need to encrypt your report or sections for sensitive reasons, we ask that you use the Sanity security@sanity.io PGP key, available on the openPGP site.

Response SLOs

We commit to answering your report within 3 business days (outside US holidays) with an acknowledgement of receipt. Triage, mitigation and resolution of the findings can take longer and have no timeline promises.

Legal and privacy points

By submitting an entry, you agree to Sanity's privacy policy on data handling. We use a ticketing system, which is listed in our subprocessors.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.