RESPONSIBLE DISCLOSURE POLICY

The security of Booksy systems and data residing within them is crucial for us, and we treat potential security issues with a top priority. We do our best to protect the data of Booksy merchants and customers from security threats, and we encourage all users and security researchers to report security vulnerabilities discovered in our platform. We are committed to handle vulnerability reports in a timely manner and the greatest attention, provided that the following Policy is respected.

I. SCOPE

1. Booksy’s vulnerability disclosure program covers the following products:
   1. Booksy Customer Application - https://booksy.com/
   2. Booksy Business Application - https://booksy.com/biz/
   3. Booksy Mobile Applications:
      • Booksy for Customers (Android, iOS)
      • Booksy Biz: For Businesses (Android, iOS)
2. While Booksy develops a number of other products, we ask that all security researchers submit vulnerability reports only for the stated product list from point 1 above, subject to point 3 below.
3. If you believe that you identified a critical risk vulnerability or potential data leakage which is not in scope from point 1 above, but still may negatively impact data of Booksy or its users, please do not hesitate to get in contact with us.

II. REPORTING AN ISSUE

1. Please share privately the details of your security vulnerability by emailing our Security Team at security@booksy.com.
2. When reporting, make sure to include as much information as possible, including screenshots, detailed steps to reproduce the problem, the application versions that are affected and any other information that might help us to triage vulnerability more efficiently.

III. VULNERABILITY DISCLOSURE PROCEDURE

1. You privately share the details of the security vulnerability with our Security Team by reporting an issue, as described in point II (1) above.
2. We acknowledge your submission and verify the vulnerability. Our first answer generally comes under 2 business days.
3. If the vulnerability is considered valid and in scope we work on a correction in collaboration with you to the extent you are comfortable with.
4. Once a vulnerability is patched by our product team we notify you about the fix and recognize you in our Hall of Fame, if you agree.

IV. RULES OF ENGAGEMENT

1. We ask you to obey the following rules at all times:
   1. do not view or store Booksy’s non-public data (except the data necessary to document and report the presence of a potential vulnerability);
   2. do not attempt to access or modify data that belongs to other Booksy user;
   3. do not attempt to execute denial of service attacks, or to compromise the reliability and availability of Booksy services;
   4. do not use scanners, automated tools or any other tools which may generate excessive traffic and negatively impact system’s availability;
   5. never attempt non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system;
   6. do not publicly disclose vulnerabilities without our prior consent (disclose only according to the disclosure procedure in point IV above).

V. WHAT TO REPORT

1. When contacting us, please try to create a proof-of-concept attack (with screenshot if necessary) or a script exploiting the issue. If the proposed attack scenario turns out unrealistic, your report will probably be rejected with acknowledgement.
2. Qualifying vulnerabilities:
   1. injection vulnerabilities;
   2. XSS vulnerabilities working in supported browsers;
   3. broken authentication or session management, allowing unauthorized access to sensitive data or account takeovers;
   4. vulnerabilities resulting in arbitrary code execution or reading sensitive files/data (RCE, LFI, RFI, SSRF, XXE);
   5. broken access control (privilege escalation, IDOR, CSRF);
   6. sensitive information disclosure (PII, booking data, secrets, sensitive API keys, configuration files);
   7. business logic vulnerabilities which allow to bypass intended business flow and cause harm to Booksy or its users;
   8. other vulnerabilities where you are able to clearly demonstrate a negative impact on Booksy’s data & system security.
3. NON Qualifying vulnerabilities:
   1. suboptimal HTTP header configuration (unless you are able to prove a non-theoretical impact of such a configuration);
   2. suboptimal SSL/TLS configuration (unless you are able to prove a non-theoretical impact of such a configuration);
   3. XSS vulnerabilities working only in unsupported/deprecated browsers, or requiring an action which is unlikely to be taken by an aware user (e.g. pressing some key combination);
   4. user/e-mail enumeration vulnerabilities;
   5. file path disclosures or error handling issues, which do not carry significant risk;
   6. clickjacking or phishing attacks using social engineering tricks to abuse users, with the system working as intended;
   7. suboptimal password policies;
   8. non-permanent Denial of Service (DoS) and distributed DoS (DDoS) that maintain resource exhaustion (cpu/network/memory) via a sustained stream of requests/packets;
   9. mobile vulnerabilities related to insufficient reverse engineering protection or client-side vulnerabilities which require e.g. compromised device to be exploited
   10. disclosure of information that does not carry significant risks (e.g. server type);
   11. suboptimal configuration of e-mail security policies (e.g. DKIM, DMARC).
4. If you have any concerns about the scope that should be reported to us, please do not hesitate to contact us.

VI. REWARD

1. If you report a non-duplicate security issue that is confirmed to be impactful (see the section in point V (2) above), we will be happy to include your name in the Booksy Security Hall of Fame section, if you agree.
2. If we consider that the vulnerability you reported has a major impact on Booksy security, such as critically sensitive information disclosure, remote access to core system authority, etc., you can be rewarded with an additional surprise.

VII. HALL OF FAME

We would like to thank the following individuals for their contribution to increasing the overall Booksy’s security posture.

2022

1. Takshal Patel
2. Mubassir Patel
3. Nikhil Rane
4. Shivansh Khari
5. Sam Crowther
6. Opinder Singh

2023

1. Mohamed Shibil
2. Robert Muchacki