Responsible Disclosure

Brevo

Purpose

Our top priority is the security and confidentiality of our customers. We try as much as possible to write clean code and perform thorough testing. Despite our best efforts, vulnerabilities may still be present in our services.

Everyone is encouraged to report identified vulnerabilities. Brevo will make the best effort to respond as fast as possible. Please allow a few days before messaging us again.

The preferred method for contacting Brevo security team and reporting vulnerabilities is by sending an email to [email protected].

Disclosure Policy

  • Respect the law and do not break it;
  • Do not DDoS or otherwise disrupt, interrupt, or degrade our services;
  • Do not use social engineering techniques against our clients or staff;
  • Do not conduct spam or phishing attacks;
  • Do not put Brevo or its clients’ data at risk;
  • Do not permanently alter or delete data;
  • Comply with applicable criminal law and other applicable laws.

Rules

Your submission, preferably in English should contain:

  • Clear description and evidence of the vulnerability (logs, screenshots, responses)
  • Detailed steps to reproduce the issue
  • Any platforms, operating systems, versions that are relevant
  • Any relevant IP addresses or URLs
  • Any supporting evidence you have collected (logging, tracing etc.)
  • Your assessment of the exploitability or impact of the issue
  • Your contact details
  • Please preserve as much evidence as possible as we may need to examine it.

These rules help us respond faster to identify high quality submissions.

We will not respond to:

  • Reports of any information already in the public domain;
  • Reports of generic vulnerabilities with no evidence of relevance to our systems;
  • Missing http security headers;
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms;
  • Generic scan results of our platforms.

This program is not a bug bounty program and does not offer monetary reward for submissions.

Please do not request compensation for time and materials or vulnerabilities discovered. Please abide by the ethical code of conduct.

Confidentiality Policy:

Please treat all information about our systems and our users’ data as strictly confidential and not release it publicly. This applies regardless of whether Brevo had prior knowledge of the information.

We appreciate the efforts of security researchers who share information on security issues with us. Thank you for helping make the internet a better and safer place for all of us.