Squarespace is committed to maintaining a strong security posture. We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered. We will investigate all legitimate reports and follow up if more details are required. Prior to reporting a vulnerability, please follow our Responsible Disclosure Guidelines and Submission Criteria outlined below.
Responsible Disclosure Guidelines
We have a private bug bounty managed by HackerOne where security issues must be reported by security researchers.
If you are a security researcher, please enter your HackerOne username below. We will invite you to the program where you can resubmit your report and have it properly triaged.
Non security researcher reporting a potential vulnerability
If you are a Squarespace customer but not a security researcher, please file a support request with any security concerns below. Before you do, please review the Submission Criteria.
Server-side Remote Code Execution (RCE)
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
SQL Injection (SQLi)
XML External Entity Attacks (XXE)
Access Control Issues (ACI)
Local File Disclosure (LFD)
All Squarespace customer websites or other customer content not owned by the researcher.
Vulnerabilities that are already known (e.g. previously discovered by an internal team or another researcher).
Network level Denial of Service.
Application level Denial of Service. If you find a request that takes too long to respond, report it to us. Do not DoS the system.
Duplicate submissions that are being remediated.
Password complexity guidelines.
Lack of email validation.
Email or user enumeration.
Clickjacking or issues only exploitable through clickjacking.
XSS issues that only affect outdated browsers.
Lack of security-related flags on cookies.
Reflected File Download (RFD).
Issues that require physical access to a victim’s computer.
Issues that require privileged access to the victim's network.