1. Introduction
At [Platform Name], we take the security of our platform and our customers' data seriously. We welcome feedback from security researchers and the broader community to help us maintain the highest security standards. This Responsible Disclosure Policy outlines our expectations for reporting potential vulnerabilities and our commitment to addressing them.
2. Scope
2.1 In Scope
The following domains and services are within scope:
*. [platform].comapp. [platform].comapi. [platform].com- [Platform Name] mobile applications (iOS and Android)
- [Platform Name] desktop applications
- [Platform Name] open-source components (listed on our GitHub)
2.2 Out of Scope
The following are NOT in scope:
- Third-party services or integrations
- Denial of Service (DoS/DDoS) attacks
- Physical security attacks
- Social engineering attacks against employees
- Spamming or phishing our employees or customers
- Automated vulnerability scanners without throttling
- Previously reported vulnerabilities
- Vulnerabilities requiring compromised user accounts
- Vulnerabilities in third-party libraries with known patches (please report to the library maintainer)
- Issues requiring physical access to devices
3. Our Commitments
When you report a potential vulnerability to us in accordance with this policy, we commit to:
3.1 Response and Resolution
- Acknowledgment: We will acknowledge receipt within 3 business days.
- Investigation: We will investigate and validate the report within 10 business days.
- Communication: We will keep you informed of progress.
- Remediation: We will address validated vulnerabilities promptly based on severity.
- Recognition: We will publicly acknowledge your contribution (with your consent).
3.2 Safe Harbor
We consider security research conducted under this policy to be:
- Authorized conduct under the Computer Fraud and Abuse Act (CFAA) and similar laws.
- Exempt from our Acceptable Use Policy's prohibition against unauthorized access.
We will not pursue legal action against researchers who:
- Follow this disclosure policy.
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption.
- Do not exploit a vulnerability beyond what is necessary to demonstrate the issue.
4. Researcher Responsibilities
If you choose to participate in our responsible disclosure program, you agree to:
4.1 Do No Harm
- Do not access or modify data that does not belong to you.
- Do not disrupt our services or degrade user experience.
- Do not use automated scanning tools without rate limiting.
- Do not perform tests that could trigger rate limiting, account lockouts, or alerts without coordination.
- Do not publicly disclose the vulnerability before we have addressed it.
4.2 Reporting Guidelines
When submitting a report, please include:
- Description: Clear description of the vulnerability and potential impact.
- Steps to Reproduce: Detailed, step-by-step instructions to reproduce the issue.
- Proof of Concept: Code, screenshots, or videos demonstrating the vulnerability.
- Environment: Browser/OS versions, tools used, and relevant configuration.
- Your Contact: Email address for follow-up (PGP key for encrypted communication preferred).
4.3 Prohibited Actions
- Do not publicly disclose vulnerabilities before we have addressed them.
- Do not demand payment or ransom.
- Do not threaten or coerce.
- Do not violate any laws.
5. Vulnerability Categories
5.1 What We're Interested In
We are particularly interested in:
Critical Severity:
- Remote Code Execution (RCE)
- SQL Injection leading to data extraction
- Authentication bypass
- Privilege escalation
- Server-Side Request Forgery (SSRF) with sensitive data exposure
High Severity:
- Cross-Site Scripting (XSS) that impacts other users
- Cross-Site Request Forgery (CSRF) on state-changing operations
- Insecure Direct Object References (IDOR) exposing other users' data
- Sensitive data exposure (credentials, tokens, PII)
- Business logic flaws with security impact
Medium Severity:
- Information disclosure (non-sensitive)
- Clickjacking
- Missing security headers
- Subdomain takeover of non-critical domains
- Rate limiting issues
5.2 What We Typically Do Not Accept
- Vulnerabilities requiring MITM on already encrypted connections
- Missing security headers alone (without demonstrated impact)
- Self-XSS
- Password policy complaints
- Username/email enumeration on login pages
- Version disclosure (without associated vulnerability)
- Issues in outdated browsers
- Social engineering
- Physical attacks
- Denial of Service
6. Disclosure Process
6.1 Reporting
Submit your report through one of the following channels:
6.2 What to Expect
| Step |
Timeline |
Description |
| Acknowledgment |
Within 3 business days |
We confirm receipt and provide a tracking ID |
| Triage |
Within 5 business days |
We assess validity and severity |
| Validation |
Within 10 business days |
We reproduce and confirm the issue |
| Remediation Planning |
Within 15 business days |
We plan fix based on severity |
| Fix Implementation |
Varies by severity |
Critical: 7 days; High: 30 days; Medium: 90 days |
| Public Disclosure |
After fix deployed |
Coordinated disclosure with researcher |
6.3 Status Updates
- You will receive periodic updates (at least every 14 days) on progress.
- If we determine a report is invalid, we will explain why.
- You may inquire about status at any time using your tracking ID.
7. Recognition and Rewards
7.1 Hall of Fame
With your consent, we will publicly acknowledge your contribution in our Security Hall of Fame, including:
- Your name or handle
- The vulnerability type
- Date of report
7.2 Bug Bounty Program
We may offer a bug bounty program for particularly significant findings. Eligibility:
- First valid report of a unique vulnerability.
- Not disclosed publicly before fix.
- Follows all researcher responsibilities.
- Not reported through automated scanning.
Reward Ranges (if applicable):
- Critical: $5,000 - $15,000
- High: $1,000 - $5,000
- Medium: $250 - $1,000
- Low: $50 - $250
Note: Bounty amounts and eligibility are at our sole discretion. Government employees and certain jurisdictions may not be eligible.
8. Vulnerability Information
8.1 Confidentiality
You agree to keep all non-public information about discovered vulnerabilities confidential until we have:
- Confirmed the vulnerability.
- Implemented a fix.
- Allowed reasonable time for customers to patch.
8.2 Coordinated Disclosure
We support coordinated disclosure:
- We will work with you to establish a disclosure timeline.
- Typically 30-90 days after fix deployment.
- We will credit you in any public advisory (with your consent).
- We may request an embargo extension for critical issues.
9. Legal Posture
9.1 Safe Harbor Provisions
We consider security research conducted under this policy to be:
- Authorized access under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ยง 1030.
- Authorized under the Digital Millennium Copyright Act (DMCA) for circumvention necessary for good faith security research (17 U.S.C. ยง 1201(j)).
- Consistent with our Terms of Service.
9.2 No Waiver of Rights
This policy does not:
- Waive any intellectual property rights.
- Grant permission to violate other laws.
- Create a contract or legal obligation.
- Prevent us from taking action against malicious actors.
9.3 Third Parties
If your research involves third-party services or customers:
- Do not access customer data beyond what is publicly available.
- Stop immediately if you encounter customer data.
- Report any inadvertent access to customer data as part of your report.
10. Frequently Asked Questions
Q: Can I test with automated scanners?
A: Please limit automated scanning to prevent service disruption. Coordinate intensive scanning with us first.
Q: What about vulnerabilities in third-party software?
A: Please report to the third party directly. If the vulnerability impacts our deployment, we appreciate being notified.
Q: Can I publicly disclose after fix?
A: Yes, we support responsible public disclosure after fixes are deployed. Please coordinate with us.
Q: What if I find customer data?
A: Stop immediately, do not access further, and report with details of what you observed.
Q: Do you have a bug bounty?
A: We may offer rewards on a case-by-case basis for significant findings. Not all reports qualify.