Security is a Branch priority
We take security seriously at Branch. Learn more about our policies and find out how to report a vulnerability.
Report a Phishing Attempt
Phishing is defined as the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information. At Branch, we limit the data we collect and we do not rent or sell personal information. For additional information, please visit https://www.branch.io/security/
If you believe that you are the recipient of a phishing attempt related to Branch systems, including an email or an app.link URL, then please notify us using the “Submit a Report” button below.
Report a Vulnerability
Responsible Disclosure Guidelines
Branch is a rapidly growing and security-driven company. We believe in delivering the product with the least risk and threat associated with each public-facing Branch’s resources/services.
If you are interested in finding technical application and workflow issues that can be exploited, we appreciate your help. We recommend submitting such issues as soon as possible.
Our team will investigate the security reports and resolve the issue within a reasonable time frame. We appreciate the efforts of security researchers and our users in helping keep Branch secure. While submitting issues through our Public Vulnerability Disclosure Program does not guarantee a monetary bounty, there have been instances where the Branch Security Team has invited researchers to participate in our private Bugcrowd Program. Researchers who are invited to the Bug Bounty Program become eligible to receive points and bounty rewards.
Guidelines
- It is must to append your contact email address or BugCrowd handle(username) to User-Agent header on each request. Configure your testing tool to custom User-Agent value before using it.
- You’re allowed to send only/maximum of 5 requests per 30 seconds.
- Adherence to Branch’s Disclosure Policy
- Provide necessary assistance to Branch to replicate the issue and mitigate relevant security issues.
- Automated tool’s vulnerability reports are not accepted as a valid submission
- Intensive automated scans must not negatively impact the Branch’s any or all services availability.
- Automated vulnerability scanning tools or scanned reports are prohibited.
- In the case of duplicate reports, the first report would be considered a valid submission.
- Do not attempt to view, modify, or damage data belonging to others.
- Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
- Do not attempt to gain access to another user’s account or data.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Scope for the Branch’s Bug Bounty Program
- *.branch.io
- https://github.com/BranchMetrics/android-branch-deep-linking – Android
- https://github.com/BranchMetrics/ios-branch-deep-linking – IOS
- https://github.com/BranchMetrics/mac-branch-deep-linking
- https://github.com/BranchMetrics/web-branch-deep-linking
Out of scope
Breach of our program’s terms
The expectation is to respect all the terms and conditions of the Branch’s Bug Bounty Program. Non-adherence or non-compliance will lead to disqualification. A serious breach may also lead to suspension of the account and existing access controls.
Legal Terms and Conditions
In addition to these Terms and Conditions (the “Agreement”) regarding the Branch Responsible Disclosure Program (the “Program”), there may be additional restrictions depending upon applicable local laws.
- The parties to this Agreement are you and Branch Metrics, Inc. (“Branch”).
- By reporting a vulnerability, you affirm that you have not disclosed and agree that you will not disclose the vulnerability to anyone other than Branch. Absent Branch’s prior written consent, any disclosure outside of this process would violate this Agreement. You agree that money damages may not be a sufficient remedy for a breach of this paragraph by you and that Branch may be entitled to specific performance as a remedy for any such breach. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity to Branch.
- By reporting a vulnerability, you are granting Branch a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing the vulnerability in Branch’s products and services.
- If a reported vulnerability affects a third party or another vendor, Branch reserves the right to forward details of the issue along to the third party or vendor without further discussion with you.
- You are responsible for all taxes associated with and imposed on any Reward you may receive from Branch.
- You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited.
- If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
- Your testing activities must not negatively impact Branch, Branch’s products or services generally, or Branch’s online environment availability or performance.
- Branch may choose not to remediate at its sole discretion.
- This Agreement constitutes the entire agreement of the parties with respect to the items listed above. This Agreement is covered by California law, without regard to its conflict of law principles. This Agreement may be amended or modified only by a subsequent agreement in writing.
- If any portion of this Agreement is found to be illegal or unenforceable, then the parties will be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.
- You must not be the author of the code with the vulnerability.
- You must not be a Branch employee, contractor, or a family member of an employee or contractor.
BRANCH RESERVES THE RIGHT TO MODIFY OR CANCEL THE BRANCH RESPONSIBLE DISCLOSURE PROGRAM AT ANY TIME WITHOUT NOTICE. ALL PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY. THIS OFFER IS VOID WHERE PROHIBITED BY LAW AND IN PARTICIPATING, YOU MUST NOT VIOLATE ANY LAW. YOU ALSO MUST NOT DISRUPT ANY SERVICE OR COMPROMISE ANYONE’S DATA.
Branch Responsible Disclosure program powered by BugCrowd. Kudos per vulnerability