Prezi Responsible Disclosure

At Prezi, we take security of our users’ data very seriously and we believe in harnessing the power of the security researcher community to help keep our users safe. We encourage the responsible disclosure of security vulnerabilities.

This brief ("brief") covers your participation in the Prezi Responsible Disclosure Program (the "Program"). It sets out terms between you and Prezi ("Prezi," "us" or "we"). By submitting any vulnerabilities to Prezi or otherwise participating in the Program in any manner, you accept these terms, the Prezi Privacy Policy, and the BugCrowd Standard Disclosure Terms, Code of Conduct, Disclosure Policy, and Terms of Service.

To join the program, you should read this entire brief, and only proceed if you accept all the terms within.

Thank you for making Prezi better for everyone!

Discovering security vulnerabilities

We encourage and allow you to conduct security research and vulnerability testing on Prezi services and products to which you have authorized access on the “prezi.com” domain.
Please always keep the following rules in mind:

  • Never attempt to access someone else’s account or data; please always use your own account(s) for testing.
  • Never try to modify or destroy any data that does not belong to you.
  • Do not attempt or launch a denial of service attack. We and our users appreciate reliability.
  • Do not attempt or execute social engineering attacks (including but not limited to unsolicited or unauthorized emails, spam, or other forms of unsolicited messages).
  • Do not test third parties that integrate with Prezi services (see the “What we are not interested in” section below for more details).
  • Do not operate directly or indirectly with malicious or harmful software. We like to keep prezi.com clean for our users.
  • Don’t do anything that violates any applicable law.
  • Your participation in the Program is entirely voluntary. You acknowledge that Prezi has not offered or promised any reward or bounty payment for your participation in the Program. However, Prezi reserves the right to reward participation in the Program in its sole discretion on a case by case basis.

What we are not interested in

In general, please don’t report the following findings, unless you can showcase an actual vulnerability leading to significant impact:

  • CSRF vulnerabilities where exploitation is not really probable (other random / hard to get value is required for exploitation), CSRF in the authentication function
  • Missing “HTTP only” flag for cookies, which are not the following ones: auth-sessionid, prezi-auth, sessionid
  • Missing “Secure” flags for any cookie
  • Username / user id enumeration
  • Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers
  • Phishing by navigating password tabs a.k.a "window.opener" (reason)
  • Absence of rate limiting
  • Denial of Service
  • User password brute force attack
  • "Leakage" of publicly available information (e.g.: server version info in response header)

Since our list of integrations might change, please always resolve our subdomains before any testing to verify that they are not pointing to some external / 3rd party service.

For example, the following domains and subdomains are pointing to different third-party solutions, which we are not authorized to include in this program:

  • beautifulbits.prezi.com/
  • blog.prezi.com/
  • support.prezi.com
  • *.cdn01.prezi.com
  • *.cdn02.prezi.com
  • streamingcdn.prezi.com
  • videocdn.prezi.com
  • videothumbcdn.prezi.com
  • email.prezi.com
  • *.preziusercontent.com
  • *.prezicdn.net
  • *.prezi.community

Reporting security vulnerabilities

If you believe you have discovered a security vulnerability, please share the details with us by completing the form below.

We will acknowledge receipt of your report within five business days and work with you to understand the issue so we can validate it. We will also do our best to give an estimate on the resolution of the vulnerability and notify you when it is fixed.

Confidentiality

Any information you receive, collect or discover about Prezi or any Prezi user through the Program (“Confidential Information”) must be kept confidential and only used in connection with the Program. You may not disclose any such Confidential Information (except in your report to Prezi) without Prezi’s prior written consent.

Licenses you grant to Prezi

Prezi, or any of its affiliates, may use the communication between you and Prezi, or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. Further, Prezi and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to Prezi for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting Prezi a perpetual, royalty-free, and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer, and sell such information.

Personal Data

In most cases, we process your personal data to communicate with you. However, other purposes may apply, as set forth in the Prezi Privacy Policy.