Responsible Disclosure Policy

Keeping customer data safe and secure is our top priority. If you’ve discovered a security vulnerability, please do not share it publicly. Instead, report it to us using our security response form.

Rules for you

  • Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
  • Do not access or modify, or attempt to access or modify, data that does not belong to you.
  • Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
  • Do not run any automated tools against our servers without prior coordination.
  • Do not try to abuse our servers’ resources, including but not limited to sending unsolicited or unauthorized email.
  • Do not publicly share the issue details until we confirm that it’s fixed.
  • Do not attempt to blackmail us, or try to sell us your security report.
  • When in doubt, contact us at support@prefinery.com.

Rules for us

  • We will not pursue any legal action against you, if you obey the rules above.
  • We will reply to all correctly submitted reports, and we will work with you on fixing the issue.
  • We will perform our own risk assessment for every reported vulnerability.
  • If your report is not eligible, we will let you know the reason why.
  • We will let you decide whether you want to be publicly acknowledged for your report.

Bounty

  • We do not offer cash compensation for security reports.

What does not qualify?

  • Vulnerabilities to timing and DoS attacks (remember, you’re not allowed to test these).
  • Vulnerabilities that have been previously reported by another user.
  • Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
  • Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections).
  • Bugs or functionality that proves that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
  • Vulnerabilities that we determine to be an accepted risk, including but not limited to:
    • Ability to sign up and use our services without confirming an email address.
    • Lack of CAPTCHAs on the forms.

Still need help? How can we help? How can we help?