Security

Bug Bounty Program

Have you discovered a security issue with Gusto.com or another Gusto property?

Please let us know immediately. We are committed to addressing security issues in a timely manner and will pay a bug bounty for your responsible disclosure.

Report to security@gusto.com immediately with a detailed description of the issue and the steps to reproduce it. Include a supplementary video recording if you can. We are committed to addressing security issues in a timely manner and will pay a bug bounty for your responsible disclosure. If you’d like a PGP key to encrypt your message, please email us and request one.

In-scope priorities

All content on any website, web application, or platform listed below (collectively, the “Properties”) qualifies for the Program:

  • gusto.com
  • www.gusto.com
  • link.gusto.com
  • *.gusto-demo.com
  • www.gusto-demo.com
  • link.gusto-demo.com
  • api.gusto-demo.com
  • app.gusto-demo.com
  • manage.gusto-demo.com
  • hippo.gusto-demo.com

Out-of-scope priorities

The sites, applications, platforms, and other properties listed below are out of scope and will not qualify for the Program. Please DO NOT test them:

  • *.gusto.com (Except for gusto.com, www.gusto.com, and link.gusto.com, which are in-scope properties, as listed above)
  • api.gusto.com
  • app.gusto.com
  • manage.gusto.com (This is a production environment that will file irreversible forms to various government agencies and potentially move money to and from various bank accounts. Please use https://manage.gusto-demo.com instead, which is our sandboxed environment.)
  • hippo.gusto.com

Non-Qualifying Vulnerabilities:

Depending on their impact, some reported vulnerabilities may not qualify for a reward. Although we do review each Vulnerability Report individually to determine whether a vulnerability is a Qualifying Vulnerability, below are some vulnerabilities that are unlikely to be Qualifying Vulnerabilities and are hence unlikely to earn a reward:

  • Best practices concerns
  • Clickjacking on pages with no sensitive actions
  • Content injection issues
  • Cross-site request forgery (CSRF) with minimal security implications (logout CSRF, etc.)
  • CSV injection
  • Flaws affecting the users of End of Life browsers and plugins
  • Fraud issues (while we welcome you to submit reports on fraud issues, we do not offer Rewards for them at this time)
  • Invite/promo code enumeration
  • Issues relating to Password Policy
  • Legitimate content proxying and framing
  • Missing autocomplete attributes
  • Missing cookie flags on non-security-sensitive cookies
  • Missing security headers that do not pose an immediate security vulnerability
  • Non-technical vulnerabilities, such as the physical security of Gusto’s offices
  • Open ports without including a proof-of-concept demonstrating the vulnerability
  • Open redirects (provided, however, that we do ask that you submit reports on open redirects with high security impacts, such as stealing oauth tokens)
  • Presence of banner or version information (provided, however, that if you believe that outdated software poses a legitimate security risk, please do report it to us)
  • Recently disclosed zero-day vulnerabilities - please wait four weeks before reporting these types of issues
  • Reflected file download (RFD)
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Stack traces that disclose information
  • Vulnerabilities as reported by automated tools without further analysis as to how they pose a risk to Gusto
  • Vulnerabilities reported through a broker
  • Vulnerabilities requiring physical access to a victim’s computer
  • Window.opener-related issues