Security Policy
Please respect our systems and the use of automated vulnerability scanners to bruteforce and spam our systems is not appreciated. Do not attempt to use social engineering on our users and employees.
Laws and responsible disclosure
Responsible disclosure entails:
- Sharing with us the problem in detail
- Taking the time to explain and provide a working POC where avail
- Not disclosing publicly before bugs are fixed
- Not modifying any data without consent
- Not breaking any laws
- Your name / Name of other team members
- Your company or education insitution that you represent
Recognition
Should there be monetary bounties, it will be paid via paypal. We will need to collect W9 (U.S. citizens) or W8_BEN (non-U.S.) before any payment can be made. If you are unable or unwilling the share this information, we will still be happy to put your name on the recognition board.
Exclusion
Absence of SPF/DMARC records, policies, CSRF tokens, compromise of device belonging to customer, missing header information, arbitary content hosting (including any open source CMS platform), contact forms, XSS, Self-XSS, host header injection, reporting of spam, reports from automated tools or scanners, tapjacking, social engineering, missing cookie flags, insecure TLS ciphers, presence of autocomplete attribute on web forms, vulnerabilities that affect our users with outdated third party software, vulnerabilities on known-vulnerabilities without exploits, vulnerabilities on protocols that are outside our control.
All reports must be channeled using the appropriate method (above) and by submitting your report, you agree to all of the rules on this page.
Other matters
This is not a competition or contest and we request that all researchers participate in good faith and practice responsible disclosure.
Recognition - Many thanks to:
- Anonymous Researcher
- Snehal Datar
- Omprakash Patel