Vulnerability Disclosure Policy

The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
• Perform research only within the scope set out below;
• Use the identified communication channels to report vulnerability information to us; and
• Keep information about any vulnerabilities you’ve discovered confidential between yourself and us to remediate discovered vulnerabilities in a timely manner.

If you follow these guidelines when reporting an issue to us, we commit to:

• Work with you to understand and validate your report, including a timely initial response to the submission;
  
• Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
• Not pursue or support any legal action related to your research

Scope

Web site and web applications using the following URLs:

• *.weekplan.net

Out of scope
Any services hosted by 3rd party providers and services are excluded from scope. These services include:

• Hosting Services
• Email Services
• Payment Service Providers

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

• Findings from physical testing such as office access (e.g. open doors, tailgating)
• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Findings from applications or systems not listed in the ‘Scope’ section
• UI and UX bugs and spelling mistakes
• Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to receive:

• Personally identifiable information (PII)
• Credit card holder data

How to report a security vulnerability? 

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@weekplan.net. 

Please include the following details with your report:

• Description of the location and potential impact of the vulnerability;
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
• Your name/handle and a link for recognition in our Hall of Fame.

Security Researcher Hall of Fame

- Mubassir Patel (twitter: @Mubassirpatel): found an employee's credentials in some of our source code.