Scope of Potential Security Vulnerabilities

If you are unsure whether a service is within our scope or not, feel free to ask us via our contact form. Below are some specific examples of in-scope and out-of-scope apps and websites to help guide your research.


Target

Eligible

Ineligible

BandLab

Websites: bandlab.com, edu.bandlab.com, accounts.bandlab.com, cakewalk.bandlab.com, bnd.link 

Apps: BandLab, BandLab Assistant  

Websites: blog.bandlab.com, blog.edu.bandlab.com, careers.bandlab.com, help.bandlab.com, help.edu.bandlab.com rewards.bandlab.com, news.bandlab.com,
stats.bandlab.io

AudioStretch

Apps: AudioStretch, AudioStretch Lite

Websites: www.audiostretch.com, help.audiostretch.com 

Cakewalk

Websites: cakewalk.bandlab.com

Websites: help.cakewalk.com, discuss.cakewalk.com

Apps: Cakewalk by BandLab

Open Source

 

Code repos: https://github.com/bandlab/ 

Other Partnerships/Acquisitions

 

Websites: chew.tv,
composer.io, composrapp.com, cakewalk.com

Portal



Hardware: All first-party hardware (Link Devices)


Out of Scope

  • Spam or social engineering techniques.
  • Denial-of-service attacks.
  • Content injection. Posting content on BandLab is a core feature, and content injection (also "content spoofing" or "HTML injection") is out of scope unless you can clearly demonstrate a significant risk.
  • Security issues in third-party apps or websites that integrate with BandLab (including most pages on bandlab.com) 
  • Mobile app crash reports that are not reproducible on up to date OS versions or releases within the last 6 calendar months


False Positives

  • Profile pictures are available publicly. Your current profile picture is always public (regardless of size or resolution).
  • Note that public information also includes your username, ID, location, birthday, gender, email address, real name, and/or anything you’ve shared publicly (Learn More).
  • Accessing photos via raw image/audio/video URLs from our CDN (Content Delivery Network). 
1 out of 1 found this helpful