|
| 1 | +Responsible Disclosure Program |
| 2 | + |
| 3 | +At ${COMPANY_NAME}, Inc., we take security of our users’ data very |
| 4 | +seriously. If you have discovered or believe you have discovered |
| 5 | +potential security vulnerabilities in an ${COMPANY_NAME} Service, we |
| 6 | +encourage you to disclose your discovery to us as quickly as possible in |
| 7 | +accordance with this Responsible Disclosure Program. |
| 8 | + |
| 9 | +We will work with you to validate and respond to security |
| 10 | +vulnerabilities that you report to us. Because public disclosure of a |
| 11 | +security vulnerability could put the entire ${COMPANY_NAME} community at |
| 12 | +risk, we require that you keep such potential vulnerabilities |
| 13 | +confidential until we are able to address them. We will not take legal |
| 14 | +action against you or suspend or terminate your access to any |
| 15 | +${COMPANY_NAME} Services, provided that you discover and report security |
| 16 | +vulnerabilities in accordance with this Responsible Disclosure Program. |
| 17 | +${COMPANY_NAME} reserves all of its legal rights in the event of any |
| 18 | +noncompliance. |
| 19 | + |
| 20 | +Capitalized terms not defined in this Responsible Disclosure Program |
| 21 | +shall have the meaning set forth in our Terms of Use. |
| 22 | +Discovering Security Vulnerabilities |
| 23 | + |
| 24 | +We encourage responsible security research on the ${COMPANY_NAME} |
| 25 | +services and products, including Webtask. We allow you to conduct |
| 26 | +vulnerability research and testing on the ${COMPANY_NAME} Services to |
| 27 | +which you have authorized access. In no event shall your research and |
| 28 | +testing involve: |
| 29 | + |
| 30 | + Accessing, or attempting to access, accounts or data that does not |
| 31 | +belong to you or your Authorized Users, |
| 32 | + Any attempt to modify or destroy any data, |
| 33 | + Executing, or attempting to execute, a denial of service attack, |
| 34 | + Sending, or attempting to send, unsolicited or unauthorized email, |
| 35 | +spam or other forms of unsolicited messages, |
| 36 | + Testing third party websites, applications or services that |
| 37 | +integrate with the ${COMPANY_NAME} Services, |
| 38 | + Posting, transmitting, uploading, linking to, sending or storing |
| 39 | +malware, viruses or similar harmful software, or otherwise attempting to |
| 40 | +interrupt or degrade the ${COMPANY_NAME} services, and |
| 41 | + Any activity that violates any applicable law. |
| 42 | + |
| 43 | +Issues not to Report |
| 44 | + |
| 45 | +The following is a partial list of issues that we ask for you not to |
| 46 | +report, unless you believe there is an actual vulnerability: |
| 47 | + |
| 48 | + CSRF on forms that are available to anonymous users |
| 49 | + Disclosure of known public files or directories (e.g. robots.txt) |
| 50 | + Domain Name System Security Extensions (DNSSEC) configuration |
| 51 | +suggestions |
| 52 | + Banner disclosure on common/public services |
| 53 | + HTTP/HTTPS/SSL/TLS security header configuration suggestions |
| 54 | + Lack of Secure/HTTPOnly flags on non-sensitive cookies |
| 55 | + Logout Cross-Site Request Forgery (logout CSRF) |
| 56 | + Phishing or Social Engineering Techniques |
| 57 | + Presence of application or web browser 'autocomplete' or 'save |
| 58 | +password' functionality |
| 59 | + Sender Policy Framework (SPF) configuration suggestions |
| 60 | + |
| 61 | +Reporting Security Vulnerabilities |
| 62 | + |
| 63 | +If you believe you have discovered a security vulnerability issue, |
| 64 | +please share the details with ${COMPANY_NAME} by filling the form below. |
| 65 | + |
| 66 | +${COMPANY_NAME} will acknowledge receipt of your report within 2 |
| 67 | +business days, provide you with an estimated timetable for resolution of |
| 68 | +the vulnerability, notify you when the vulnerability is fixed, and, with |
| 69 | +your permission, publicly acknowledge your responsible disclosure. |
| 70 | + |
| 71 | +Email communication between you and ${COMPANY_NAME}, including without |
| 72 | +limitation, emails you send to ${COMPANY_NAME} reporting a potential |
| 73 | +security vulnerability, should not contain any of your proprietary |
| 74 | +information. The contents of all email communication you send to |
| 75 | +${COMPANY_NAME} shall be considered non-proprietary. ${COMPANY_NAME}, or |
| 76 | +any of its affiliates, may use such communication or material for any |
| 77 | +purpose whatsoever, including, but not limited to, reproduction, |
| 78 | +disclosure, transmission, publication, broadcast, and further posting. |
| 79 | +Further, ${COMPANY_NAME} and its affiliates are free to use any ideas, |
| 80 | +concepts, know-how, or techniques contained in any communication or |
| 81 | +material you send to ${COMPANY_NAME} for any purpose whatsoever, |
| 82 | +including, but not limited to, fixing, developing, manufacturing, and |
| 83 | +marketing products. By submitting any information, you are granting |
| 84 | +${COMPANY_NAME} a perpetual, royalty-free and irrevocable right and |
| 85 | +license to use, reproduce, modify, adapt, publish, translate, |
| 86 | +distribute, transmit, publicly display, publicly perform, sublicense, |
| 87 | +create derivative works from, transfer and sell such information. |
0 commit comments