Our Vulnerability Disclosure Program is intended to minimize the impact that any security flaws
have on our tool or users. In order to qualify to the Program, the vulnerability must exist in the
latest public release. You should remember that only security vulnerabilities will qualify.
Guidelines and Scope limitations
Prior to reporting, please review the following information including our vulnerability disclosure
program, scope, and other guidelines.
To encourage vulnerability research and to avoid any confusion between good-faith hacking and
malicious attack, we ask that you:
- Follow this Disclosure Program, as well as any other relevant agreements
- Do not cause any harm, hinder application fluency or act against our Terms of
- Do not intentionally access non-public amoCRM data anymore than is necessary to demonstrate
- Do not access, modify, destroy, save, transmit, alter, transfer, use or view data belonging to
anyone other than yourself. If a vulnerability provides unintended access to data, please cease
testing, purge local information, and submit a report immediately.
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming
- Do not compromise the privacy or safety of our customers and the operation of our services.
activity will be treated as illegal.
- Keep the details of any discovered vulnerabilities confidential, according to this Disclosure
Program. Uncoordinated public disclosure of a vulnerability may result in disqualification from
- Comply with applicable laws and regulations.
- Use only the official channels designated (see “Reporting”) to discuss vulnerability
When conducting genuine in scope vulnerability research according to this Disclosure Program, we
consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state
laws), and we will not initiate or support legal action against you for accidental, good faith
violations of this Disclosure Program when conducting genuine vulnerability research.
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against
you for circumvention of technology controls when conducting genuine vulnerability research
according to this Disclosure Program.
conducting genuine vulnerability security research, and we waive those restrictions on a limited
basis for genuine vulnerability research done under this Disclosure Program.
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
We reserve our right not to act in case of findings with no real risk impact on our data integrity
and GDPR-related documentation as well as governing law shall be treated as acting in bad faith and
in an illegal manner. We are not obliged to provide remuneration, fee or rewards for any
vulnerability disclosure – such action remains in our full discretion.
If at any time you have concerns or are uncertain whether your security research is consistent with
this Disclosure Program, please submit a report through one of our official Reporting channels
before going any further.
At this time, the following services and applications are in-scope:
- Web application and infrastructure:
- Any of third level subdomain amocrm.com and amocrm.ru
- Anything with significant impact across our entire security posture or infrastructure
Out of scope
We accept only manual or semi-manual tests. All findings coming from automated tools or scripts
will be considered as out of scope. Furthermore, all issues without clearly identified security
impact, missing security headers, or descriptive error messages will be considered out of scope.
- Attacks designed or likely to degrade, deny, or adversely impact services or user experience
(e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying, Spam...).
- Attacks designed or likely to destroy, corrupt, make unreadable (or attempts therein) data or
information that does not belong to you.
- Attacks designed or likely to validate stolen credentials, credential reuse, account takeover
(ATO), hijacking, or other credential-based techniques.
- Intentionally accessing data or information that does not belong to you beyond the minimum
viable access necessary to demonstrate the vulnerability.
- Performing physical, social engineering, or electronic attacks against our personnel, offices,
wireless networks, or property.
- Security issues in third-party applications, services, or dependencies that integrate with
amoCRM products or infrastructure that do not have a demonstrable proof of concept for the
vulnerability (e.g., libraries, SAAS services).
- Security issues or vulnerabilities created or introduced by the reporter (e.g., modifying a
library we rely on to include a vulnerability for the sole purpose of receiving a reward).
- Attacks performed on any systems not explicitly mentioned as authorized and in-scope.
- Reports of missing “best practices” or other guidelines which do not indicate a security issue.
- Attacks related to email servers, email protocols, email security (e.g., SPF, DMARC, DKIM), or
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS ciphers (unless accompanied with working proof of concept).
- Reports of how you can learn whether a given client can authenticate to a amoCRM product or
- Reports of mappings between code names and client names.
- Reports of simple IP or port scanning.
- Missing HTTP headers (e.g. lack of HSTS).
- Email security best practices or controls (e.g. SPF, DKIM, DMARC).
- Software or infrastructure bannering, fingerprinting, or reconnaissance with no proven
- Clickjacking or self-XSS reports.
- Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure.
- Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques.
- Violating any laws or breaching any agreements (or any reports of the same).
Your findings should be supported by clear and precise documentation with no speculative
information. All findings should have an indication of relevance and impact. Remember to provide a
detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during
the discovery that will allow us to reproduce the vulnerability.
To ensure that your observations are properly reported you shall use only approved channels, namely
you should report discovered vulnerability via email to firstname.lastname@example.org