Vulnerability Disclosure Policy
Rules and guidelines
The following rules and guidelines must be followed if you discover a vulnerability:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Do not exploit a vulnerability to get access to sensitive information that you don’t have permission to.
- Notify us as soon as possible after you discover a real or potential security issue.
Once you’ve established that a vulnerability exists or encounter any sensitive data, you must stop your test, notify us immediately, and not disclose this data to anyone else.
At this time, we do not offer compensation for discovered vulnerabilities.
Reporting a vulnerability
E-mail your findings to firstname.lastname@example.org. Preferably encrypt your findings using our public PGP key which can be downloaded here
8860 D8BD 30B6 A0AF C296 5DDF 6825 EAC1 66D5 ED69
What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We strive for an open dialogue to discuss issues.