Effective as of November 22nd, 2019.
We take the security of our customers’ data very seriously. Security is one of our core tenets, and we value the input of security professionals acting in good faith to help us maintain a high standard for the security and privacy of our users.
If you believe you’ve discovered a potential security vulnerability within one of our services or products, we strongly encourage you to disclose it to us as quickly as possible and in a responsible manner.
We will address each issue in a timely fashion, and request that you provide us with a reasonable timeframe to address the issue before public disclosure. Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.
To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Vulnerability Disclosure Policy. In the event of any non-compliance, we reserve all of our legal rights.
If in doubt, please contact us by sending an email to firstname.lastname@example.org.
We encourage you to conduct responsible security research on our products and services. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.
At this time, the following services and applications are in scope:
The following types of research are strictly prohibited:
You can responsibly disclose potential security vulnerabilities by emailing email@example.com. Ensure that you include the details of the potential security vulnerability and exploit with enough information to enable us to reproduce your steps.
When reporting a potential security vulnerability, please include as much information as possible, including:
Once you have reported a potential security vulnerability, we will contact you within 72 hours with an initial response. Going forward, we will keep you informed on our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.
Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it.
We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the potential security vulnerability.
Please note that we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for monetary or other compensation will be deemed in violation of this Vulnerability Disclosure Policy.