Vulnerability Disclosure Policy
The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and us to remediate discovered vulnerabilities in a timely manner.
If you follow these guidelines when reporting an issue to us, we commit to:
- Work with you to understand and validate your report, including a timely initial response to the submission;
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
- Not pursue or support any legal action related to your research
Web site and web applications using the following URLs:
Out of scope
Any services hosted by 3rd party providers and services are excluded from scope. These services include:
- Hosting Services
- Email Services
- Payment Service Providers
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive:
- Personally identifiable information (PII)
- Credit card holder data
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing firstname.lastname@example.org.
Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
- Your name/handle and a link for recognition in our Hall of Fame.
Security Researcher Hall of Fame
- Mubassir Patel (twitter: @Mubassirpatel): found an employee's credentials in some of our source code.