Report a Security Vulnerability to TechSmith

If you have discovered a vulnerability in a TechSmith product, please review the following TechSmith Vulnerability Disclosure Policy and then use the form below to report it.

TechSmith's Vulnerability Disclosure Policy

Vulnerability Disclosure Philosophy

TechSmith believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between TechSmith and Security Researchers. Together, our vigilant expertise promotes the continued security and privacy of TechSmith customers, products, and services.

When you find a vulnerability:

Please write a thorough report with step by step instructions to reproduce the vulnerability.
Avoid disclosing the vulnerability publicly or to any third-parties until the issue is resolved.
Make a good-faith effort to avoid violating the privacy of TechSmith customer data. Test with your own accounts where possible.'
Never destroy or otherwise tamper with TechSmith customer data that does not belong to you.
Clean up after testing. If your vulnerability involves leaving malicious entries or files on a TechSmith property, please delete or hide them once they're no longer needed for demonstrating the vulnerability.

What we'll do:

Review your report as soon as we can.
If we're unable to reproduce the issue, we'll reach out for further clarification on the vulnerability.

Scope

In Scope Web Entities

https://myaccount.techsmith.com
https://library.techsmith.com
https://videoreview.techsmith.com
https://www.screencast.com
https://www.techsmith.com

In Scope Desktop Products

Snagit [including outbound web calls to TechSmith owned properties]
Camtasia [including outbound web calls to TechSmith owned properties]
Audiate [including outbound web calls to TechSmith owned properties]
TechSmith Capture [including outbound web calls to TechSmith owned properties]

Out of Scope Web Entities

https://login.techsmith.com
https://support.techsmith.com
https://*.techsmithrelay.com
https://*.techsmithknowmia.com
Any third-party service

If you identify a vulnerability on a domain or subdomain owned by TechSmith that is not explicitly mentioned here, you may still report it to us, but it may not be eligible for rewards. If you're unsure whether a particular domain or subdomain is served by TechSmith, please look up the DNS record for it. We frequently redirect techsmith.com subdomains to third-party providers. Please note that several of our services are behind a Web Application Firewall and may appear that way in a DNS lookup. The applications running on these websites are in scope, but testing the Web Application Firewall itself is out of scope.

Out of Scope Exploits

Please do not test or report the following:

Denial of Service attacks against web entities
Rate limiting flaws
Spamming
Email Spoofing
Social Engineering
Physical penetration testing
Self-XSS
SSL/TLS configuration issues
X-Frame-Options flaws / Clickjacking
Open redirects without an active demonstration of malicious use

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.