Security Program

Nylas empowers the world to communicate with context and insight. We offer cloud communication APIs that allow developers to easily and securely connect their applications to any inbox, calendar, or contact in the world. Customers such as Hyundai, Realtor.com, Pipedrive, and Dialpad rely on Nylas to remove the complexity of building and supporting integrations across disparate platforms such as Gmail, IMAP, Outlook, Exchange, and Google Calendar.
 
Nylas takes its security posture seriously and welcomes responsible disclosures of potential vulnerabilities in our systems. We've put together this document to capture the guidelines for our program, including rules of testing, scope and what we may consider for a reward.

Targets

Nylas is currently accepting medium severity and higher vulnerabilities in the listed focus areas. Nylas is not currently able to reward researchers for Informational or Low severity issues.
 
In scope:
 
Some of these targets may share code and will therefore be rewarded only once. 
 
In general, Nylas cannot accept vulnerabilities in third-party applications. Exceptions may be made if Nylas can mitigate the identified issues and the actions are not part of an already planned process. Issues that must be mitigated solely by the third-party provider will not be accepted by Nylas.
 
Out of scope:
  • Third party web sites and services, as noted previously
  • The use of automated scanning tools. We will not accept reports from automated tools and request that you do not use them against our services.
  • Attacks against Nylas users. All testing must be performed using accounts created for this purpose.
  • Any attack which degrades Nylas service performance or causes any negative effects for Nylas users
  • Any physical or phishing attacks against Nylas properties, data centers, employees, partners or users
 
The following potential issues are either known to Nylas or/and are specifically out of scope:
  • Lack of email verification on sign up
  • Lack of rate limiting on any resources, including login and password reset
  • Lack of upper limit on password length
  • Ability to add a URL as the name of an invited user
  • HTTP 404 or other error codes and pages, unless they reveal source code or sensitive information
  • Banner or version disclosure of any kind
  • Presence of common public files, such as robots.txt or files in the .well-known directory
  • Information disclosure through robots.txt
  • CSRF on anonymous resources, or any CSRF issue which does not include an exploit showing control over sensitive actions
  • Clickjacking / UI redressing issues, unless an exploit showing account takeover or disclosure of sensitive resources is provided
  • Open redirect issues, unless the issue can be specifically used to compromise sensitive tokens
  • Issues that only impact outdated or obscure browsers 
  • Self-XSS issues, such as having a user paste JavaScript into a browser console

 

You can submit bug disclosures here.

Rewards

Nylas will make a determination of the severity of each finding based upon industry accepted guidelines, as well as knowledge of the impacted environment. Nylas will consider potential impact to the business and clients, ease of exploitation and ability to mitigate the issue internally. We ask that any submissions contains the following details in order to help us make these determinations:
 
  • Clear description of the issue, including a possible attack scenario
  • Detailed reproduction steps that demonstrate the presence of the vulnerability
  • Recommended fixes, mitigations or workarounds for the reported issues
 
Nylas is working on specific reward criteria and amounts. As stated earlier, only vulnerabilities with Medium and above severities will be considered. Nylas is unable to reward Informational and Low severity issues. Nylas does not currently have a "hall of fame" or other compensation facilities for these issues.
 
Please send submissions to security@nylas.com, or call 415-604-9500.