Vulnerability Disclosure Policy

As a Digital Experience Monitoring provider we believe in taking our own user’s Digital Experience seriously. Our own security and therefore the security of your data in our system is one of our main concerns and highest priorities. We will thoroughly investigate all security vulnerabilities reported to us in accordance with the guidelines outlined here.

Scope of the Programme

Our platform is made up of multiple subsystems and this programme’s scope includes our platform, public web assets, and third party services. We will only consider vulnerabilities where the attack can exploit our customers directly.

Please do not submit reports derived from automatic scanning tools, such as SSL Labs or Nessus; we scan our systems regularly, and will already be aware of (and be in the process of fixing) these issues.

In Scope Assets

Out of Scope Assets (unless customer data is exploitable)

  • status.rapidspike.com
  • docs.rapidspike.com
  • results.rapidspike.com
  • journey.rapidspike.com

Out of Scope Vulnerabilities

  • Attacks that only affect individual user accounts (such as self-XSS)
  • The presence of application or web browser ‘autocomplete’ messages
  • Logout Cross-Site Request Forgeries
  • Banner disclosure on public services
  • Issues only exploitable through clickjacking
  • Descriptive error messages

Reporting to RapidSpike

The researcher should email security@rapidspike.com with the vulnerability found. We will only accept vulnerabilities reported to us that include all of the following:

  • Scope context – see above, only in scope assets will be considered for investigation
  • A detailed description of the vulnerability including its effects
  • Steps to reproduce including any configuration details, proof-of-concepts or exploit code

Additional information where possible:

  • Potential fix implementations or ideas
  • Links to further reading such as blogs, tutorials or CVSS scoring

What happens next?

Contact

We will respond within 2 business days and then provide updates every 20 days at most.

Review Process

The team will review all vulnerabilities reported in accordance with the guidelines set out above. We will take steps to reproduce them and will work with the researcher until such a time that the vulnerability can be completely validated.

Once the review is complete and the vulnerability has been confirmed, the results will be sent to the researcher along with information about its resolution and any subsequent public disclosure.

Disclosures

Public disclosures will be made on our blog. If the researcher wishes to publish their findings on their own platforms then we would like this to be done simultaneously with our own disclosure.

Rewards

Rewards are issued at our sole discretion – we do not guarantee that the researcher’s report will result in a reward being issued.

  • Researchers with verified vulnerabilities will have the option to be honoured in a wall of fame with their name and a link of their choosing.
  • If we decide that a reward should be offered then it will be in the form of branded merchandise (i.e. stickers, T-shirts etc).
  • Monetary rewards will only be offered if the vulnerability is of the highest significance, which will be decided solely by us; RapidSpike.

  • Insider: Yorkshire's Most Exciting Companies
  • Northern Digital Awards 2019 Shortlist
  • KPMG Best British Tech Startup 2019: Northern Finalist
  • Prolific North Tech 100: Top 30 Companies to Watch