Introduction

Squarespace is committed to maintaining a strong security posture. We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered. We will investigate all legitimate reports and follow up if more details are required. Prior to reporting a vulnerability, please follow our Responsible Disclosure Guidelines and Submission Criteria outlined below.

Responsible Disclosure Guidelines

We have a private bug bounty managed by HackerOne where security issues must be reported by security researchers.

If you are a security researcher, please enter your HackerOne username below. We will invite you to the program where you can resubmit your report and have it properly triaged.

Must match this format: https://hackerone.com/myusername

Non security researcher reporting a potential vulnerability


If you are a Squarespace customer but not a security researcher, please file a support request with any security concerns below. Before you do, please review the Submission Criteria.

Submission Criteria

In-scope:

  • Server-side Remote Code Execution (RCE)

  • Cross-site Scripting (XSS)

  • Cross-site Request Forgery (CSRF)

  • Server-Side Request Forgery (SSRF)

  • SQL Injection (SQLi)

  • XML External Entity Attacks (XXE)

  • Access Control Issues (ACI)

  • Local File Disclosure (LFD)

Out-of-scope:

  • All Squarespace customer websites or other customer content not owned by the researcher.

  • Vulnerabilities that are already known (e.g. previously discovered by an internal team or another researcher).

  • Network level Denial of Service.

  • Application level Denial of Service. If you find a request that takes too long to respond, report it to us. Do not DoS the system.

  • Self-XSS.

  • Duplicate submissions that are being remediated.

  • Password complexity guidelines.

  • Lack of email validation.

  • Email or user enumeration.

  • Clickjacking or issues only exploitable through clickjacking.

  • XSS issues that only affect outdated browsers.

  • Lack of security-related flags on cookies.

  • Password brute-forcing.

  • Reflected File Download (RFD).

  • Issues that require physical access to a victim’s computer.

  • Issues that require privileged access to the victim's network.