Website administrator

The Booksy website’s (“Website”) owner and administrator is Booksy Inc.

Loading Terms of service...

Loading Privacy Policy...

Security

The security of Booksy systems and data residing within them is crucial for us, and we treat potential security issues with a top priority. We do our best to protect the data of Booksy merchants and customers from security threats, and we encourage all users and security researchers to report security vulnerabilities discovered in our platform. We are committed to handle vulnerability reports in a timely manner and the greatest attention, provided that the following Policy is respected.At Booksy, we see security as fundamental, not just an add-on. As the digital landscape expands, the importance of protecting your personal and financial information grows. We're committed to maintaining robust security measures. Here's our approach to ensuring your data is securely protected at Booksy:

Encryption at Rest and in Transit: We take the security of your data seriously, whether it's stored or being sent. We use strong encryption to protect it from unauthorized access, keeping your information safe and private at all times.

No Stored Payment Information: We've chosen not to store your payment card information on our servers. Instead, we partner with certified payment processors who are experts in secure payment processing. These processors are PCI DSS certified, adding an extra layer of security to your financial transactions. Additionally, our hosting provider, Google, is certified against multiple standards, ensuring comprehensive protection at every level of our infrastructure.

Secure by Design: Security is at the core of our application design. We implement secure defaults and conduct daily scans of our application code and dependencies. Any potential vulnerabilities are promptly addressed, making sure our systems are up-to-date and protected against new threats.

Role-Based Access: At Booksy, access is tailored to individual roles. This means employees only get access to the information and tools essential for their job. It's a practical way to keep things secure and straightforward, minimising the chance of sensitive data falling into the wrong hands. 

Rigorous Testing and Monitoring: Our internal security team regularly tests our applications for vulnerabilities, complemented by annual penetration testing performed by external experts. Furthermore, our applications are continuously monitored, enabling us to detect and swiftly respond to potential attacks. This proactive approach ensures the highest level of security resilience and operational integrity.

Comprehensive Logging: In the unlikely event of an incident, our extensive logging capabilities allow us to swiftly trace and understand the sequence of events. This rapid response capability is crucial for mitigating risks and securing our platform against future threats.

Responsible Disclosure Program: We believe in the power of community and collaboration. Our responsible disclosure program invites security researchers and users to report any potential vulnerabilities. This approach helps us improve security and shows our dedication to being open and constantly getting better.

Ongoing Security Training: It's important to stay updated on security. We provide our employees with ongoing training in the newest security practices and protocols. This ensures our team is alert, upholds strong security practices, and remains conscious and accountable in their roles.

At Booksy, your security is our main concern. We're committed to delivering a platform you can trust, always enhancing our security measures and encouraging a culture of attentiveness. This ensures Booksy is a secure place in the online world.

Responsible Disclosure Policy

The security of Booksy systems and data residing within them is crucial for us, and we treat potential security issues with a top priority. We do our best to protect the data of Booksy merchants and customers from security threats, and we encourage all users and security researchers to report security vulnerabilities discovered in our platform. We are committed to handle vulnerability reports in a timely manner and the greatest attention, provided that the following Policy is respected.

I. DEFINITIONS:

  1. Booksy - Booksy International spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, address: ul. Prosta 67, floor 28, 00-868 Warsaw, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw, XII Commercial Division of the National Court Register under KRS number 0000515914;
  2. Policy - this responsible disclosure policy.
  3. Hall of Fame - the section on our website where we publicly thank the submitters by providing their first and last name for reporting a new security issue that is confirmed to be impactful.

II.  SCOPE

  1. Booksy’s vulnerability disclosure program covers the following products:
    1. Booksy Customer Application - https://booksy.com/
    2. Booksy Business Application - https://booksy.com/biz/
    3. Booksy Mobile Applications:
  2. Booksy for Customers (Android, iOS)
  3. Booksy Biz: For Businesses (Android, iOS)
  1. While Booksy develops a number of other products, we ask that all security researchers submit vulnerability reports only for the stated product list from point 1 above, subject to point 3 below.
  2. If you believe that you identified a critical risk vulnerability or potential data leakage which is not in scope from point 1 above, but still may negatively impact data of Booksy or its users, please do not hesitate to get in contact with us.

III. REPORTING AN ISSUE

  1. Please share the details of your security vulnerability by emailing our Security Team at security@booksy.com
  2. When reporting, make sure to include as much information as possible, including screenshots, detailed steps to reproduce the problem, the application versions that are affected and any other information that might help us to triage vulnerability more efficiently.

IV. VULNERABILITY DISCLOSURE PROCEDURE

  1. You privately share the details of the security vulnerability with our Security Team by reporting an issue, as described in point III (1) above.
  2. We acknowledge your submission and verify the vulnerability. Our first answer generally comes under 2 business days.
  3. If the vulnerability is considered valid and in scope we work on a correction in collaboration with you to the extent you are comfortable with.
  4. Once a vulnerability is patched by our product team we notify you about the fix and recognize you in our Hall of Fame, if you agree.

V. RULES OF ENGAGEMENT

  1. We ask you to obey the following rules at all times:
    1. do not view or store Booksy’s non-public data (except the data necessary to document and report the presence of a potential vulnerability);
    2. do not attempt to access or modify data that belongs to other Booksy user;
    3. do not attempt to execute denial of service attacks, or to compromise the reliability and availability of Booksy services;
    4. do not use scanners, automated tools or any other tools which may generate excessive traffic and negatively impact system’s availability;
    5. never attempt non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system;
    6. do not publicly disclose vulnerabilities without our prior consent (disclose only according to the disclosure procedure  in point IV above). 

VI. WHAT TO REPORT

  1. When contacting us, please try to create a proof-of-concept attack (with screenshot if necessary) or a script exploiting the issue. If the proposed attack scenario turns out unrealistic, your report will probably be rejected with acknowledgement.
  2. Qualifying vulnerabilities:
    1. injection vulnerabilities;
    2. XSS vulnerabilities working in supported browsers;
    3. broken authentication or session management, allowing unauthorized access to sensitive data or account takeovers;
    4. vulnerabilities resulting in arbitrary code execution or reading sensitive files/data (RCE, LFI, RFI, SSRF, XXE);
    5. broken access control (privilege escalation, IDOR, CSRF);
    6. sensitive information disclosure (PII, booking data, secrets, sensitive API keys, configuration files);
    7. business logic vulnerabilities which allow to bypass intended business flow and cause harm to Booksy or its users;
    8. other vulnerabilities where you are able to clearly demonstrate a negative impact on Booksy’s data & system security.
  3. NON Qualifying vulnerabilities:
    1. suboptimal HTTP header configuration (unless you are able to prove a non-theoretical impact of such a configuration);
    2. suboptimal SSL/TLS configuration (unless you are able to prove a non-theoretical impact of such a configuration);
    3. XSS vulnerabilities working only in unsupported/deprecated browsers, or requiring an action which is unlikely to be taken by an aware user (e.g. pressing some key combination);
    4. user/e-mail enumeration vulnerabilities;
    5. file path disclosures or error handling issues, which do not carry significant risk;
    6. clickjacking or phishing attacks using social engineering tricks to abuse users, with the system working as intended;
    7. suboptimal password policies;
    8. non-permanent Denial of Service (DoS) and distributed DoS (DDoS) that maintain resource exhaustion (cpu/network/memory) via a sustained stream of requests/packets;
    9. mobile vulnerabilities related to insufficient reverse engineering protection or client-side vulnerabilities which require e.g. compromised device to be exploited
    10. disclosure of information that does not carry significant risks (e.g. server type);
    11. suboptimal configuration of e-mail security policies (e.g. DKIM, DMARC).
  1. If you have any concerns about the scope that should be reported to us, please do not hesitate to contact us. 

VII. REWARD

  1. If you report a non-duplicate security issue that is confirmed to be impactful (see the section in point VI (2) above), we will be happy to include your name in the Booksy Security Hall of Fame section, if you agree. 
  2. If we consider that the vulnerability you reported has a major impact on Booksy security, such as critically sensitive information disclosure, remote access to core system authority, etc., you can be rewarded with an additional surprise.

VII. HALL OF FAME

We would like to thank the following individuals for their contribution to increasing the overall Booksy’s security posture.

2022

   Takshal Patel

   Mubassir Patel

   Nikhil Rane

   Shivansh Khari

   Sam Crowther

   Opinder Singh

2023

   Mohamed Shibil

   Robert Muchacki