Vulnerability reporting

At Rippling, we believe transparency is a crucial part of security research. We pride ourselves on working with the security community to identify and address vulnerabilities promptly.

Rippling encourages responsible disclosure of vulnerabilities with a bug bounty program

By participating in the Rippling Bug Bounty Program or disclosing a vulnerability to Rippling, you agree to the Rippling Vulnerability Reporting Terms and Conditions

Scope: *.rippling.com (except developer.rippling.com)

Bug bounty eligibility guidelines:

The identified vulnerability must be disclosed only to Rippling. Do not share the vulnerability information to any party outside Rippling without permission.

Disclosure write-up should include clear details with steps to reproduce, verifiable proof of concept (screenshots, video, script), along with the clear security impact of the finding.

The issue has to be reproducible by our team to qualify for a bounty.

Early bird catches the worm. Be the first to report an issue. Duplicate reports will not be eligible for a bounty reward.

Exploitation should not cause an adverse effect on other users, including gaining access to, modifying data of other users without their permission, or modifying configuration inside Rippling’s systems.

Rippling reserves the right to cancel or modify this program at any time without prior announcement.

Rippling reserves the sole right to determine the eligibility and severity of the vulnerability and its bounty reward.

The Rippling Vulnerability Reporting Programs is subject to the legal terms and conditions outlined here, which includes our safe harbor terms. By participating in this program, you represent that you have reviewed and agreed to comply with those terms, including all applicable local and international laws.

Excluded vulnerabilities from submission

The list of security issues are excluded from this program because they have low security impact to Rippling. This section contains issues that are not accepted under this program and will be immediately marked as invalid:

Bug bounty eligibility guidelines:

Verbose error messages (e.g. Stack Traces, application or server errors)

Banner disclosure on common/public services.

Disclosure of known public files/directories, (e.g. robots.txt).

Clickjacking and issues only exploitable through clickjacking.

Script injection/CSRF in forms that are available to anonymous users (e.g. the contact form). 

Existence of application or web browser ‘autocomplete’ or ‘save password’ functionality

Absence of secure/HTTPOnly flags on non sensitive cookies.

Incorrect autocomplete or save password functionality.

Self-XSS.

Vulnerabilities on 3rd party services.

Vulnerabilities requiring physical access, social engineering, or brute force, related to rate-limits.

DDoS , DoS attacks or web application based DoS attacks like but not restricted to XML bomb attack, Big billion laugh attacks, pixel flooding attack etc. are outside the scope of this program.

HTTPS Mixed Content Scripts.

Username / email enumeration via Login Page error message or via Forgot Password error message.

Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, and X-Content-Type-Option.