We value the contributions of the security research community in keeping Screenly and our users safe. This policy outlines how to responsibly report potential vulnerabilities and what you can expect from us.
Scope
In Scope
-
screenly.io
(marketing site) -
*.screenlyapp.com
(web application) - Our digital signage players (Screenly Player / Player Max only)
Out of Scope
- Stage and test environments that may reside on the same domains
- Third-party services not owned or controlled by Screenly (e.g., payment providers, CDNs)
- Denial-of-service or capacity stress testing
- Social engineering, phishing, or physical attacks against employees, customers, or partners
- Known public CVEs without a practical exploit path
- Low-impact issues listed under “Non-Qualifying Issues”
Safe Harbor
We support good-faith security research. If you follow this policy, restrict testing to the in-scope systems, avoid privacy-invasive actions, and report promptly, Screenly will not pursue legal action or report your activity to law enforcement.
If you inadvertently access sensitive data, stop immediately and include only minimal evidence needed to demonstrate the issue in your report.
How to Report
We provide multiple channels for submitting vulnerabilities:
- Email: [email protected]
- Web form: support.screenly.io
For complete security contact information, including PGP encryption keys, see our security.txt file which follows RFC 9116 standards.
When reporting, please include as much detail as possible using our reporting template (see below). For confidentiality, you may encrypt submissions using our PGP keys available in the security.txt
file.
What to Expect
- Acknowledgement: within 3 business days
- Initial triage & ETA: within 10 business days
- Status updates: at least every 30 days until resolution
- Remediation timeline: risk-based, with coordinated disclosure after a fix is deployed
Rewards & Recognition
Screenly may award monetary bounties for valid, previously unreported vulnerabilities.
All payouts are determined at Screenly’s sole discretion.
We consider factors such as impact, exploitability, quality of the report, reproducibility, and duplication. Reports that meaningfully reduce risk but do not qualify for a bounty may still receive recognition (e.g., Hall of Fame mention).
Rules of Engagement
Allowed
- Test only the systems listed in scope
- Use test or demo accounts
- Provide minimal proof-of-concept code that demonstrates the vulnerability
Not Allowed
- Exfiltrating or deleting sensitive data
- Large-scale automated scanning or denial-of-service attempts
- Phishing, spam, or social engineering of employees or customers
- Attacks against third-party services
Non-Qualifying Issues
Examples of findings not eligible for rewards include:
- Self-XSS that requires victim input
- Missing or misconfigured HTTP headers without exploitation impact
- Version disclosure banners
- Outdated libraries with no exploitable vulnerability
- Clickjacking on non-sensitive pages
- Rate-limit or brute-force issues with negligible impact
Reporting Template
Please include the following in your submission:
- Title
- Summary: One-paragraph description and potential impact
- Asset/URL(s): e.g., https://screenlyapp.com/path
- Category: (e.g., auth bypass, IDOR, XSS, SSRF, RCE)
- Severity estimate: CVSS vector if available
- Steps to reproduce: clear, numbered steps
- Proof of Concept (PoC): requests, screenshots, or minimal exploit
- Impact: what an attacker could achieve
- Remediation ideas: optional but helpful
- Researcher contact & disclosure preference: name or handle, email/PGP, recognition preference
Disclosure & Credit
We follow coordinated vulnerability disclosure. After remediation, we may publish advisories and will credit researchers (if consent is given). Anonymous submissions are also welcome.
Additional Security Information
For additional security details and contact information, please refer to:
- Our security.txt file (RFC 9116 compliant)
- Our comprehensive Security page which details our security measures and commitment