Responsible Disclosure Policy
Keeping customer data safe and secure is our top priority. If you've
discovered a security vulnerability, please do not share it publicly.
Instead, report it to us using our security response
Rules for you
- Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
- Do not access or modify, or attempt to access or modify, data that does not belong to you.
- Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
- Do not run any automated tools against our servers without prior coordination.
- Do not try to abuse our servers’ resources, including but not limited to sending unsolicited or unauthorized email.
- Do not publicly share the issue details until we confirm that it’s fixed.
- Do not attempt to blackmail us, or try to sell us your security report.
- When in doubt, contact us at firstname.lastname@example.org.
Rules for us
- We will not pursue any legal action against you, if you obey the rules above.
- We will reply to all correctly submitted reports, and we will work with you on fixing the issue.
- We will perform our own risk assessment for every reported vulnerability.
- If your report is not eligible, we will let you know the reason why.
- We will let you decide whether you want to be publicly acknowledged for your report.
Hall of Fame
For eligible reports, we can acknowledge your work by putting your name and
(optionally) a link to your personal page on the list of security contributors
- We do not offer cash compensation for security reports.
- For some eligible reports that we identify as particularly important, we may reward you with our branded stickers or a t-shirt. If you’d like to receive something from us, please put your mailing address in the security response form, or share it later when we confirm the eligibility of your report.
What does not qualify?
- Vulnerabilities to timing and DOS attacks (remember, you’re not allowed to test these).
- Vulnerabilities that have been previously reported by another user.
- Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
- Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections).
- Bugs or functionality that proves that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
- Vulnerabilities that we determine to be an accepted risk, including but not limited to:
- Ability to sign up and use our services without confirming an email address.
- Lack of CAPTCHAs on the forms.
- Lack of use of hardfail (-all) on SPF records.
- Lack of a "reject" record in DMARC.
Thanks for your support!
We're grateful to the following people who have helped us improve the security