- advocates.semrush.com
- actonmail.semrush.com
- email.semrush.com
- berush.com
- Any other issues related to software not under SEMrush's control
While researching, we'd like to ask you to refrain from:
- Denial of service
- Spamming
- Social engineering (including phishing) of SEMrush staff or contractors
- Any physical attempts against SEMrush property or data centers
- CSRF - site wide and known issue
The following bugs are unlikely to be eligible for a bounty:
- Missing DNSSEC settings (we're working it)
- Issues found through automated testing
- "Scanner output" or scanner-generated reports
- Attacks requiring physical access to a user's device
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, HTTP methods, cookie flags, or descriptive error messages
- Brute Force attacks
- Spam or Social Engineering techniques, including SPF/DMARC/DKIM issues
- Issues relating to Password Policy - strength, length, lock outs, or lack of brute-force/rate limiting protections
- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV. Reflected file download attacks (RFD)
- SSL/TLS best practices that do not contain a fully functional proof of concept
- Tab nabbing and window.opener-related issues
- Vulnerabilities affecting users of outdated browsers, plugins or platforms
- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
- Bugs that do not represent any security risk - these should be reported to [email protected]
- IDN homograph attacks