We deeply apologize for current delays in our ability to handle reports. We have a small security team, made up of usually 3 people, and we have been unable to get through reports at the rate we would like. Please be patient if it takes us a while to get to your report

No technology is perfect, and Endless Group believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• SPAMMING ANY OF OUR SIGNUP OR PARTNER FORMS WILL RESULT IN YOU BEING BLOCKED FROM THE PROGRAM!

• At this time we can only offer in-service rewards. If you would like these rewards, please let us know once your bug is marked as resolved. These rewards include things such as plan upgrades.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service

• Spamming

• Social engineering (including phishing) of Endless Group staff or contractors

• Any physical attempts against Endless Group property or data centers

• Spamming our partner or signup forms using automated tools

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out of Scope

Besides the domains/things listed as Out of Scope below, the following are also considered N/A:

• EH's customer sites (*.endl.site), or anything that is user-generated content on the service.

• Attacking random addresses on our CIDR range. Our CIDR range includes customer sites. Please do not scan and attack addresses on this range without a forward or reverse DNS answer that is listed as in scope below, as otherwise you will be disrupting services not owned by Endless Group. Attacks against customer owned sites or IP addresses are NOT COVERED by our safe harbor policy!

• Insecure-Cookies as these generally do not pose a large security risk.

• Clickjacking vulnerabilities as these also generally do not pose a large risk

• HSTS/HSTS-Preloading

• (for now, may change soon, keep a look out) Password auth allowed on SSH

• Invalid SPF Setups (This only applies to GMail. Please test with other providers prior to reporting).

Thank you for helping keep Endless Group and our users safe!