Squarespace is committed to maintaining a strong security posture. We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered.
Squarespace is committed to maintaining a strong security posture. We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered. We will investigate all legitimate reports and follow up if more details are required. Prior to reporting a vulnerability, please follow our Responsible Disclosure Guidelines and Submission Criteria outlined below.
Responsible Disclosure Guidelines
While Squarespace highly values contributions and disclosures from the security researcher community, it is important that these disclosures are submitted responsibly. With this in mind and in a constant effort to protect our customers, please:
Allow us a reasonable amount of time to investigate and address reported issues. This amount of time will vary based on the severity of the vulnerability.
Do not post any information publicly (via social media or any other means) before allowing us to contact you.
Conduct all vulnerability research using your own Squarespace account (e.g. your trial account) and please limit your research to in-scope criteria.
Do not engage in actions that may result in production degradation of our service during your research efforts.
Do not engage in actions that may result in: data disclosure without authorization, malicious behavior, or actions that may result in data corruption.
Server-side Remote Code Execution (RCE)
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
SQL Injection (SQLi)
XML External Entity Attacks (XXE)
Access Control Issues (ACI)
Local File Disclosure (LFD)
Insecure direct object reference for non-guessable ids
Duplicate submissions that are being remediated
All OAuth flows
Rate limiting issues
Session Timeout issues
Patching issues that are less than 90 days old
0-day vulnerabilities that are less than 30 days old
Password complexity guidelines
Lack of email validation
Clickjacking or issues only exploitable through clickjacking