How to responsibly report a security issue

Last updated 3/18/2021

Quickbase takes the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance such as peer review to help ensure our products are high quality and secure. However, like all complex software products it is possible that a security vulnerability may be present in one of our products.

If you discover a security issue in a Quickbase product or service, we ask that you report it to us confidentially in order to protect the security of our services. Please email the details to our security team at [email protected]. Quickbase's security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch. We follow responsible disclosure and will credit researchers when a security issue has been identified and mitigated while adhering to the following specifics.

  • You may not use automated tools in your research without our explicit consent. Use of automated tools may result in investigative action or your IP(s) being blocked.
  • You make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.
  • You give us reasonable time to respond to your report and carry out remediation.
  • We credit the first researcher to report an issue. Additionally, we reserve the right to only acknowledge researchers who discover issues in the Quickbase platform, if we determine the issue to be of a high or critical severity, or if there has been continued research or contributions made by the reporter.
  • We will credit you with your name and a "no-follow" link to the address of your choosing (e.g. Twitter or personal website).
  • We are not interested in reports on the following issues:
    • CSRF in forms available for anonymous user use (e.g. the contact form)
    • Displayed server software "banners" or version information
    • Issues that are being handled in public issue queues of any OSS projects in use
    • Click-jacking on domains that do not involve authenticated user accounts
    • CSV Injection attacks where exported CSV files may execute commands in Excel, Numbers, Google Sheets, or other CSV programs
  • We will not bring any lawsuit or begin law enforcement investigation into you if you follow these parameters.

Details to include when reporting a security issue

Please provide as many relevant details as you can. In particular:

  • What steps someone can follow to reproduce the issue.
  • Any patches or steps to mitigate the problem.

Thank you!

A special thanks to the following people that have responsibly disclosed vulnerabilities to Quickbase in the past: