Security and privacy at Envato starts with our values.
At Envato, we understand security and privacy is important because we are in
it for the community. This means we’re committed to working with our
community, including through our security program to recognize helpful hackers
that work with Envato.
Helpful Hacker Program
Our Helpful Hacker program allows our community to report product
vulnerabilities to Envato. We operate the program based on the following
principles:
-
Reported issues will be prioritized based on impact on our community, not
based on financial incentives.
-
Swift resolution based on impact on our community, aiming for less than 72
hours after the report has been made.
-
Reported issues will be disclosed by Envato to the community shortly after
resolution of the problem.
-
Responsible
disclosure, meaning that you give us a fair go in order to resolve the
issue before the vulnerability is disclosed to the community. This helps us
protect the security and privacy of our community.
Reporting a vulnerability
If you believe you have found a general security vulnerability in an Envato
product you can use
this form to report the vulnerability to us. We will confirm receipt and
follow up with verification and target date for full disclosure following
resolution.
For security issues related to your personal account you should contact
our friendly Help Team.
Rules
Whilst investigating potential vulnerabilities, you must not:
- Test against any service that isn't owned by Envato. This includes
all third party providers despite whether or not
they are hosted on an Envato owned/operated subdomain.
- Cause disruption to the availability of any Envato services.
- Attempt to gain access to another user's data or information.
- Impact other users with your testing.
- Attempt non-technical attacks such as social engineering or physical
attacks against employees or infrastructure.
- Pivot your approach from one vulnerability to another in order to escalate
your access.
- Share sensitive information exposed during the course of finding a
vulnerability.
- Violate any laws.
If in doubt, get
in touch first!
Scope
Included in scope are any products or services that reside under the following
domains that are owned by Envato:
- *.envato.com
- *.envato.net
- *.envato-staging.com
- *.envato-staging.net
- *.envatomarketplaces.com
- *.tutsplus.com
- *.themeforest.net
- *.codecanyon.net
- *.videohive.net
- *.audiojungle.net
- *.graphicriver.net
- *.photodune.net
- *.3docean.net
- *.activeden.net
- *.twenty20.com
- *.reshot.com
- *.milkshake.app
- *.msha.ke
- *.milkshakedev.net
- *.mixkit.co
- camo.envatousercontent.com
-
Items for sale or available for download from any of the Envato
Marketplaces.
This program does not offer bounties or rewards, financial or otherwise. In
recognition of our appreciation, Helpful Hackers will be added to either
the Envato Systems Honor Roll or
the Envato Author Item Honor Roll,
depending on the scope of the vulnerability.
Qualifying vulnerabilities
While not extensive, this list provides some examples of what we are classing
as a security vulnerability and will award to Helpful Hackers.
- Authentication or authorization flaws
- Cross-site scripting
- Cross-site request forgery
- Server-side code execution bugs
- Ability to view another user's personal or sensitive data
- Remote code execution
- SQL injection
- Bypassing of security controls or boundaries
Non-qualifying vulnerabilities
-
You are not the first person to identify the vulnerability:
While we endeavor to address and disclose security reports in a timely
manner, it may occur that multiple reports come in for the same issue, in
which case we will only award the initial reporter.
-
Testing against third party systems/content (even under an
Envato subdomain):
Any system or content that is not
owned/operated by Envato cannot be tested without the system owner's
explicit permission. We recommend contacting them and reviewing if
they have a bug bounty program before engaging in any testing.
- Vulnerabilities that Envato determines to be an accepted
risk.
-
Vulnerabilities requiring exceedingly unlikely user
interaction or steps to exploit.
-
Phishing attacks:
We do not accept phishing of users or
staff as a security vulnerability that we can manage or mitigate. If you do
find one, please don't hesitate to get in touch so we can take some steps to
remove it from public consumption.
-
Third party plugins or browser based scripts used to enhance or
alter the Envato products:
If you use a tool to alter how the
Envato sites look or interact and you discover a vulnerability with the
tool, you are best to disclose the issue to the project maintainer.
-
Presence of banner or version information:
On its own we
don't consider the showing of product version a vulnerability. However, if
you find a very outdated version or think it defines a security risk, please
get in touch.
-
Denial of service attacks:
In the interest of service
availability, we strongly discourage anyone who uses automated tools that
generate significant volumes of traffic that may impact our users.
-
General security advice without an identified vulnerability
report:
While it's appreciated that people reach out to our team
regarding general security advice such as not using exposed HTTP query
parameters, without an attached vulnerability we will not award the
submission as on their own they are not a security risk.
If you are ever unsure about whether the vulnerability you are testing is
questionable or may fall into the non-qualifying category, please get in touch
with us for guidance.