Vulnerability Disclosure Policy

Our commitment to independent researchers:

• To maintain confidentiality and exclusivity in the disclosure and remediation process
• To strive to validate and remediate all serious findings in a timely manner
• To respond clearly whenever remediation or validation efforts may be delayed

Our request:

• As we promise confidentiality, we ask that researchers do the same. Please do not disclose information about shared findings without written permission from our team.
• Provide detailed and clear reproduction steps (proof of concept) when sharing findings, so we may validate them in a timely manner.
• Save time by paying close attention to the out-of-scope section below.
• Include an email address with the submission, so we can reach out for technical clarifications and follow-up.

Out-of-scope:

• Testing the physical security of our offices, employees, or equipment
• Any non-web attacks such as social engineering or phishing
• DoS/DDoS, or any other testing that may impact the operation of our systems
• App or network scan reports, unvalidated test results, or “theoretical” findings
• Access to, or modification of, any account that does not belong to the researcher
• Testing which results in form or email spam, or unsolicited messages or alerts
• Testing third party SaaS apps or services, except self-host, IaaS, or CDN assets
• Defacing any assets, or doing anything that may result in brand damage

In-Scope Examples:

• BOLAs/IDORs, OWASP API Top 10, multi-stage logic flaws, account enumerations and iteration flaws, XML injections, auth problems, cloud data leakages, critical software version flaws, provable RFIs/LFIs, upload exploits, WAF bypasses.

Below you will find a form where you can submit your findings. Please include accurate and detailed findings to facilitate faster validation. Thank you and happy hunting!