Responsible Disclosure Policy

Last Updated: November 19, 2024

1. Introduction

We value the security community’s efforts in helping keep our platform and users safe. This policy provides guidelines for conducting security research and reporting vulnerabilities. Our goal is to maintain industry best practices while ensuring legal compliance.

2. Scope

2.1 Covered Systems

• Our website and associated domains
• Our web applications
• Our APIs
• Our mobile applications

2.2 Out of Scope

• Third-party services
• Physical security
• Social engineering
• Systems not owned by us

3. Authorization

3.1 Permitted Activities

• Security research on your own accounts
• Testing on test accounts you create
• Research that doesn’t impact other users
• Non-intrusive vulnerability scanning

3.2 Prohibited Activities

1. Legal Violations
   • Breaking applicable laws
   • Violating privacy regulations
   • Unauthorized access attempts
2. System Attacks
   • Denial of Service (DoS) attacks
   • Brute force attacks
   • Spam or unauthorized messaging
   • Installing malicious software
3. Data Access
   • Accessing other users’ accounts
   • Accessing unauthorized data
   • Modifying system or service data
   • Excessive data retrieval
4. Testing Restrictions
   • Third-party integration testing
   • Intrusive scanning
   • Automated vulnerability scanning without approval
   • Physical security testing
5. Other Prohibited Actions
   • Access from sanctioned locations
   • Access by sanctioned individuals
   • Access by minors
   • Requesting payment for vulnerabilities
   • Public disclosure without authorization

4. Reporting Process

4.1 How to Report

1. Use our website contact form
2. Mark the message for the Security Team
3. Include all relevant details
4. Maintain confidentiality

4.2 Required Information

Your report should include:

• The URL, IP, or page where the vulnerability exists
• Vulnerability type and description
• Steps to reproduce the issue
• Potential impact assessment
• Your contact information
• Any relevant screenshots or proof of concept

4.3 Response Timeline

• Initial acknowledgment: 48 hours
• Status update: 5 business days
• Resolution timeline: Based on severity

5. Our Commitments

5.1 We Promise To

• Acknowledge your report promptly
• Investigate all legitimate reports
• Keep you informed of our progress
• Maintain confidentiality of your report
• Address vulnerabilities in a timely manner

5.2 Safe Harbor

Researchers who:

• Comply with this policy
• Make a good faith effort to avoid privacy violations
• Avoid disruption to our service
• Do not access or modify user data Will not be subject to legal action related to their research.

6. Legal Considerations

6.1 Policy Limitations

This policy:

• Does not provide authorization for law violations
• Does not override existing agreements
• Does not allow testing of third-party systems
• Does not guarantee payment or rewards

6.2 Compliance Requirements

All research must comply with:

• Applicable laws and regulations
• Data protection requirements
• User privacy rights
• Terms of service

7. Disclosure Policy

7.1 Confidentiality

• Do not disclose vulnerabilities publicly
• Maintain confidentiality until resolved
• Written authorization required for disclosure

7.2 Recognition

• Public acknowledgment available upon request
• No monetary rewards provided
• Credit given in security acknowledgments

8. Contact Information

Security Team Contact:

• Use website contact form
• Mark subject as “Security Vulnerability Report”
• Include all required information
• Expect acknowledgment within 48 hours

9. Policy Updates

• This policy may be updated periodically
• Changes effective immediately upon posting
• Current version available on website
• Previous reports handled under policy at time of submission

Last Updated: November 19, 2024