Onfido Responsible Disclosure Policy ## Introduction

At Onfido, it is our mission to bring the world’s legal identities safely online by verifying identities and carrying out checks related to those identities (our “Identity Services”). It is paramount how we secure and protect the information we collect and use when accomplishing this mission. To learn more about how we secure this information, please review the Guide to Security at Onfido.

The safety and security of our customers’ data, and the reliability of our products and services, are of utmost importance for us. Therefore, we aim to design and make products and services with the highest levels of security and reliability. Despite our best efforts, due to the highly complex and sophisticated nature of our products and services, vulnerabilities and errors may still be present in our products and services.

This policy describes Onfido’s approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services from those that interact with such products and services.

Customers, users, researchers, partners and any other person that interacts with Onfido’s products and services are encouraged to report identified vulnerabilities and errors with such products and services.

The preferred method for contacting Onfido regarding such vulnerabilities and errors is by using the form present on this page.

Onfido highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. Reporting of such vulnerabilities and errors will contribute to improving the security and reliability of our product and services.

Please note that supplying your contact information with your report is entirely voluntary and at your discretion. Onfido will make use of all reports that are submitted; both those submitted anonymously and those with contact information. If you do submit your contact information, Onfido will only use such information to get in touch with you regarding clarifying the details of your report, if that is necessary. Otherwise, please visit Onfido’s general privacy policy to see how we respect the privacy of your personal data.

By making a report to Onfido using the form on this page, or otherwise communicating a report to Onfido, regarding vulnerabilities and errors, you agree to the following terms:

Onfido may use your report for any purpose deemed relevant by Onfido, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that Onfido deems to exist and to require correction. To the extent that you propose any changes and/or improvements to a Onfido product or service in your report, you assign to Onfido all use and ownership rights to such proposals.

You confirm to Onfido that:

• You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to Onfido), the discovered vulnerabilities and/or errors;
• You have not engaged, and will not engage, in testing/research of systems with the intention of harming Onfido, its customers, employees, partners or suppliers;
• You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
• You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
• You have not tested, and will not test, the physical security of any property, building, plant or factory of Onfido;
• You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Onfido product or service that lead to your report.
• You agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that a vulnerabilities and/or errors has been reported to Onfido.
• Onfido does not guarantee that you will receive any response from Onfido related to your report. Onfido will only contact your regarding your report if Onfido deems it necessary.
• You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by Onfido.

Scope

The scope of this policy extends to all domains and assets directly belonging to/managed by Onfido, excluding any third-party owned/managed assets. Hence, any report submitted should concern (but might not be limited to) the following systems and services:

• *.onfido.com
• Web SDK
• Android SDK
• iOS SDK

Be mindful that we do not provide a mobile (or web) application, but only the SDK code that will then be integrated by our customers into their own mobile or web apps. When reporting vulnerabilities in the SDK please consider if the issue lies in the code itself or depends on the mobile application that is built on top of it (for eg. SSL pinning missing from the app would be out of scope as it’s not related to the SDK). Also please be aware that the scope is the SDK code itself and any potential issues related to the Github configuration of the repositories are to be considered separate.

If you aren’t sure whether a system is in scope or not, contact us at bugbounty@onfido.com