StashAway Vulnerability Disclosure Policy

StashAway is committed to ensuring the security of our customers' data and the reliability of our products and services. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and its reporting.

Legal Safe Harbor

This section makes sure that security researchers are safe from any prosecution when they act in good faith.

• StashAway will not pursue legal action against security researchers as long as they make a good faith effort to comply with this policy during their research activities.
• StashAway will not pursue legal action against security researchers for accidental, good faith violations of this policy.
• Should legal action be initiated by a third party against a researcher, and the researcher has been compliant with this policy, StashAway will take the neccessary measures to make it known that the researcher's activities are authorized.

Restricted Actions

This section lists actions are not authorized. Performing any of them will constitute a violation to this policy:

• Breach of any applicable laws in connection to, and leading up to your report.
• Denial of Service (DoS) or other actions that degrade, damage, or interrupt StashAway services.
• Exploitation of any vulnerabilities found.
• Social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks.
• Testing physical security of any property, building, plant or factory of StashAway.
• Leak/modify/destroy/misuse/abuse any user data or system files.

Reporting

The preferred method for contacting StashAway regarding security vulnerabilities is by using the form present on this page.

StashAway highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. Reporting of such vulnerabilities and errors will contribute to improving the security and reliability of our product and services.

By submitting a report, you expressly agree to the following terms:

• You assign all use and ownership rights of the report to StashAway.
• Your actions and interactions with StashAway leading up to the report is not in violation of any applicable laws.
• You have no intention of harming StashAway, its customers, employees, partners, vendors or suppliers.
• You agree to not disclose any information about the report and vulnerability described within, and the fact that you submitted a report to StashAway.
• You agree that the report is made out of goodwill, and is done without any expectations of rewards, monetary or otherwise, from StashAway.

Contact Information

Supplying your contact information with your report is entirely voluntary and at your discretion. This does not guarantee that you will receive any responses from StashAway regarding your report. StashAway may contact you regarding the contents of the report at its own discretion.