Security Vulnerability Disclosure Program

Gainsight is committed to protecting the privacy and security of users of our products. Our intention is to minimize the impact any security flaws have on our products or their users.

This disclosure program applies to vulnerabilities in Gainsight products under the following conditions:

Out of Scope

  • Findings from physical testing such as office access (e.g. open doors, tailgating).
  • Anything other than information security vulnerabilities.
  • Sending, or attempting to send, unsolicited or unauthorized email, spam, or other forms of unsolicited messages.
  • Findings derived primarily from social engineering (e.g. phishing, vishing).
  • Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade the Gainsight product.
  • Denial of Service (DoS/DDoS) vulnerabilities.

 

Guidelines

  • Report any vulnerability that you’ve discovered promptly.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data or to impact system availability.
  • Keep the details of any discovered vulnerabilities confidential until receiving explicit permission from the Gainsight security team.
  • Security researchers must not modify data in our systems/services which is not their own.
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability.
  • Comply with all applicable laws.

In return, we will work to review reports and respond in a timely manner.

Safe Harbor

When conducting vulnerability research according to this program, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate legal action against you.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

Reporting

Vulnerabilities discovered must be reported to Gainsight via security@gainsight.com.

Provide adequate information in the suspected vulnerability report so that we may work with you on validating the suspected vulnerability as soon as possible

Our public program currently does not provide any monetary reward. However, if you are a Bugcrowd researcher, once your submitted issue is accepted by us, you can claim your submission in bugcrowd for kudos. We consider inviting researchers who successfully identify new and particularly severe security issues to Gainsight private bug bounty programs on Bugcrowd, where we reward issue discoveries with bounty payouts subject to issue priority and severity.