RESPONSIBLE DISCLOSURE POLICY
Responsible disclosure policy: The goal of this policy is to be compliant with generally accepted best practises for vulnerability disclosure. It does not authorise you to do something that violates the law or makes others break their legal duties.
We welcome anyone who has found possible vulnerabilities to responsibly disclose them to us. Only accounts that you own or are authorised to use may be seen or accessed.
The following types of research are prohibited:
- breaking any rules or laws that may apply.
- attempting to gain access to a data or account that is not yours.
- an assault on the denial of service.
- sending or attempting to send emails or messages that are not welcome or that are not authorised.
- any kind of testing on integrations with third parties.
- placing or connecting any destructive software, such as viruses, malware, or spyware
- Access from a sanctioned place, by sanctioned people, or by children
- Access large or pointless volumes of data.
- alter the system’s or services’ data.
- using intrusive or harmful scanning software to look for flaws
- requesting payment in exchange for disclosing any vulnerabilities.
Send a note through our contact page to the Security Team with the specifics of any potential vulnerabilities. Without our express written consent, do not make these facts public. We don’t pay people or organisations for discovering actual or prospective vulnerabilities.
In your report please include details of:
- The URL, IP, or page where the vulnerability was observed.
- A brief description of the type of vulnerability.
- Steps to reproduce the vulnerability.