Introduction

Squarespace is committed to maintaining a strong security posture. We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered. We will investigate all legitimate reports and follow up if more details are required. Prior to reporting a vulnerability, please follow our Responsible Disclosure Guidelines and Submission Criteria outlined below.

Responsible Disclosure Guidelines

We have a private bug bounty managed by HackerOne where security issues must be reported. If you can please send us your HackerOne username, we can have you invited to the program where you can resubmit this report and have it properly triaged.

Submission Criteria

In-scope:

  • Server-side Remote Code Execution (RCE)

  • Cross-site Scripting (XSS)

  • Cross-site Request Forgery (CSRF)

  • Server-Side Request Forgery (SSRF)

  • SQL Injection (SQLi)

  • XML External Entity Attacks (XXE)

  • Access Control Issues (ACI)

  • Local File Disclosure (LFD)

Out-of-scope:

  • Squarespace Extensions

  • Privilege escalation from a non-Administrator role to an Administrator role.

  • All attacks from one user to another user on the same site.

  • All Squarespace client websites not owned by the researcher.

  • Network level Denial of Service.

  • Application level Denial of Service. If you find a request that takes too long to respond, report it to us. Do not DoS the system.

  • Self-XSS. We allow our users to add arbitrary scripts to their sites. Injecting a script in a tag as the site-owner is equivalent to this functionality.
    Note: Self-XSS on a site’s /config route may be acceptable

  • Insecure direct object reference for non-guessable ids.

  • Duplicate submissions that are being remediated.

  • Multiple reports for the same vulnerability type with minor variations.

  • All OAuth flows.

  • Rate limiting issues.

  • Session Timeout issues.

  • Patching issues that are less than 90 days old.

  • 0-day vulnerabilities that are less than 30 days old.

  • Password complexity guidelines.

  • Lack of email validation.

  • Email or user enumeration.

  • Clickjacking or issues only exploitable through clickjacking.

  • XSS issues that only affect outdated browsers.

  • Open redirects are out of scope.

  • Lack of security-related flags on cookies.

  • Password brute-forcing.

  • Reflected File Download (RFD).

  • Issues that require physical access to a victim’s computer.

  • Issues that require privileged access to the victim’s network.

Reporting a potential vulnerability workflow

If you are a Squarespace customer, please file a support request with any security concerns by clicking here.

If you are a security researcher, please enter your HackerOne username below