Responsible Disclosure Policy
Keeping customer data safe and secure is our top priority. If you’ve discovered a security vulnerability, please do not share it publicly. Instead, report it to us using our security response form.
Rules for you
- Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
- Do not access or modify, or attempt to access or modify, data that does not belong to you.
- Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
- Do not run any automated tools against our servers without prior coordination.
- Do not try to abuse our servers’ resources, including but not limited to sending unsolicited or unauthorized email.
- Do not publicly share the issue details until we confirm that it’s fixed.
- Do not attempt to blackmail us, or try to sell us your security report.
- When in doubt, contact us at email@example.com.
Rules for us
- We will not pursue any legal action against you, if you obey the rules above.
- We will reply to all correctly submitted reports, and we will work with you on fixing the issue.
- We will perform our own risk assessment for every reported vulnerability.
- If your report is not eligible, we will let you know the reason why.
- We will let you decide whether you want to be publicly acknowledged for your report.
- We do not offer cash compensation for security reports.
What does not qualify?
- Vulnerabilities to timing and DoS attacks (remember, you’re not allowed to test these).
- Vulnerabilities that have been previously reported by another user.
- Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
- Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections).
- Bugs or functionality that proves that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
- Vulnerabilities that we determine to be an accepted risk, including but not limited to:
- Ability to sign up and use our services without confirming an email address.
- Lack of CAPTCHAs on the forms.