Responsible Disclosure Policy
At InSided, we are committed to keeping our systems, network and product(s) secure. Despite the measures we take, the presence of vulnerabilities will always be possible. When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take swift action to shore up our security.
Under InSided’s Responsible Disclosure Policy, you are allowed to search for vulnerabilities, as long as you don’t:
- Execute or attempt to execute a Denial of Service (DoS);
- Make changes to a system;
- Install malware of any kind;
- Social engineer our personnel or customers (including phishing);
- Scan or run tests in a manner that would degrade the operation of the service or negatively affect our customers in any way;
- Physically attack or damage InSided property, offices or data centers or attempt to do so;
- Run tests on third party applications, websites or services that integrate with or link to InSided;
- Scan or attack the Amazon Web Services infrastructure or attempt to do so;
- Make use of any kind of automated scanning software without any notice upfront.
Breaching the above restrictions may result in InSided launching an investigation and/or taking legal action to the greatest extent of InSided’s legal obligation and rights or that of our partners and customers.
If you do discover a vulnerability, please contact us as soon as possible by sending an (encrypted) email to email@example.com.
What we ask of you:
- Submit your vulnerability report as soon as possible after discovery;
- Do not abuse or exploit discovered vulnerabilities in any way for any purpose;
- Do not share discovered vulnerabilities with any entities or persons other than InSided and its employees until InSided has given its permission in writing for such disclosure;
- Provide us with adequate information to enable us to investigate the vulnerability properly. (To be able to investigate properly, we will need to be able to efficiently reproduce your steps.)
- Provide us with information required to contact you (at least telephone number or email address).
What we do:
- We will endeavor to respond to your report within 1 business day or receipt, with our evaluation of the report and an expected resolution date.
- Critical incidents will be triaged and mitigated as soon as the incident is reported.
- We will keep you regularly informed of our progress toward resolving the vulnerability.
- If you have followed the above instructions, we will not take any legal action against you regarding the report.
Rewards and attribution:
- Please do not ask for a reward before sharing the vulnerability, as we need to evaluate your report before responding.
- If you report a vulnerability that is unknown to us, and if you are not from a country where we are prohibited by law from making payments (e.g. due to sanctions), we may decide to offer you a reward based upon our assessment of the criticality of the vulnerability.
Out of scope vulnerabilities:
- Vulnerabilities affecting Users of outdated or unsupported browsers or platforms;
- Issues that require unlikely User interaction;
- Clickjacking/UI Redressing;
- Reflected file download;
- Verbose error pages (without proof of exploitability);
- SSL/TLS Best Practices;
- Incomplete/Missing SPF/DKIM;
- Fingerprinting / banner disclosure on common/public services;
- Disclosure of known public files or directories, (e.g. robots.txt);
- Content spoofing (text injection);
- OPTIONS HTTP method enabled;
- Recently disclosed 0-day vulnerabilities;
- Presence of autocomplete attribute on web forms;
- Use of a known-vulnerable library (without proof of exploitability).