Vulnerability Rewards Program

The Sanity Vulnerability Rewards Program (VRP) is a way for security researchers to responsibly disclose vulnerabilities they discover in Sanity's systems and software. The program provides guidelines for testing and reporting vulnerabilities, as well as rewards for qualifying submissions.

The goal of this VRP is to encourage responsible disclosure of vulnerabilities by security researchers. By providing clear guidelines and rewards, we aim to work with the security community to identify and fix vulnerabilities before they can be exploited.

The VRP covers vulnerabilities in Sanity's systems and software, as outlined in the Scope section below. Researchers who discover qualifying vulnerabilities and report them according to the guidelines may be eligible for rewards, at Sanity's discretion.

By participating in this program, researchers agree to comply with these rules as well as the our privacy policy and applicable laws.

The scope of the Sanity VRP includes:

• Sanity.io manage interface:
  • https://manage.sanity.io
• Sanity APIs
  • api.sanity.io
  • apicdn.sanity.io

The program covers security vulnerabilities discovered in Sanity's systems and software. It does not include vulnerabilities in third-party services or software used by Sanity unless they lead to a vulnerability in Sanity's systems.

Researchers should only test against their own accounts and data or test accounts and data. Testing should not disrupt or compromise any Sanity customer data.

Sanity will not fund or reimburse fees or subscription costs attached to research.

The following types of vulnerabilities qualify for the Sanity VRP:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection (SQLi)
• Authentication and authorization issues
• Sensitive data exposure
• Remote code execution
• Business logic flaws
• Access to staging environment

However, certain categories or familiy of issues are explicitly excluded from the program:

• Denial of Service (DoS) attacks
• Resource exhaustion attacks
• Rate limiting issues
• Brute force attacks on login or forgot password pages
• Account lockout not enforced
• Disclosure of internal IP addresses, or versions, or names of software
• Issues related to cross-domain policies without evidence of exploitability
• Username/email enumeration via login, forgot password, or registration error messages
• Cookie validation and expiration issues
• Weak ciphers used by TLS, or TLS versions prior to 1.3
• Static content over HTTP
• Open ports
• Overly shared storage buckets without demonstration of impact

And these broader categories of security research are not in scope either:

• Publicly developed, open sourced software under http://github.com/sanity-io/
• Main marketing website: http://sanity.io
• Social Engineering attack vectors
• Phishing-based attack vectors
• Vulnerability reports that require a large amount of "target users" interactions to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability

We base rewards on tiers of targets and impact of the findings. The list below is used as a baseline to determine the rewards.

Tier 1 targets: API and APICDN

• Example findings: RCE, Crossing user and sandbox boundaries, SQLi, ...
• Reward range: 500-1500$

Tier 2 targets: the Manage interface

• Example findings: XSS on the Manage interface, Logic flaws in the Manage UI, Billing abuse vulnerability, ...
• Reward range: 50-150$

Final rewards amounts are at the discretion of Sanity, and consider the finding's impact on users, elegance of the attack and quality of the report.

Once the finding has been confirmed, a reward is considered.

The rewards committee meets monthly to evaluate the reports and determine rewards based on tiers and the above-mentioned list of criteria. Researchers are then contacted.

We strongly recommend using the OpenSSF vulnerability reporting template to write your report, and send them to bugbounty@sanity.io. Should you need to encrypt your report or sections for sensitive reasons, we ask that you use the Sanity security@sanity.io PGP key, available on the openPGP site.

Our bugbounty program is a small one, but we commit to answering your report in less than 3 business days (outside US holidays) with an acknowledgement of receipt. Triage, mitigation and resolution of the findings can take longer and have no timeline promises.

By submitting an entry, you agree to Sanity's privacy policy on data handling. We use a ticketing system, which is listed in our subprocessors.

We are unable to issue rewards to individuals who are on US sanctions lists, or who reside in countries (e.g., Cuba, Iran, North Korea, Syria, Russia, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter the program depending upon your local laws.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.

To avoid potential conflicts of interest, we will not grant rewards to people employed by Sanity or Sanity Partner companies who develop software covered by this program.