Vulnerability Disclosure Policy
As a Digital Experience Monitoring provider we believe in taking our own user’s Digital Experience seriously. Our own security and therefore the security of your data in our system is one of our main concerns and highest priorities. We will thoroughly investigate all security vulnerabilities reported to us in accordance with the guidelines outlined here.
Scope of the Programme
Our platform is made up of multiple subsystems and this programme’s scope includes our platform, public web assets, and third party services. We will only consider vulnerabilities where the attack can exploit our customers directly.
Please do not submit reports derived from automatic scanning tools, such as SSL Labs or Nessus; we scan our systems regularly, and will already be aware of (and be in the process of fixing) these issues.
In Scope Assets
Out of Scope Assets (unless customer data is exploitable)
Out of Scope Vulnerabilities
- Attacks that only affect individual user accounts (such as self-XSS)
- The presence of application or web browser ‘autocomplete’ messages
- Logout Cross-Site Request Forgeries
- Banner disclosure on public services
- Issues only exploitable through clickjacking
- Issues only exploitable through compromised third party accounts
- Issues only exploitable through user error / bad practice
- Descriptive error messages
Reporting to RapidSpike
We only accept disclosures from approved Researcher accounts. To apply for approval please email firstname.lastname@example.org and include links to your Bug Bounty profile(s) and evidence of previous successful vulnerability disclosures.
The researcher should email email@example.com with the vulnerability found. We will only accept vulnerabilities reported to us that include all of the following:
- Scope context – see above, only in scope assets will be considered for investigation
- A detailed description of the vulnerability including its effects
- Steps to reproduce including any configuration details, proof-of-concepts or exploit code
- Explanation as to how the vulnerability affects the data integrity/security of our platform
Additional information where possible:
- Potential fix implementations or ideas
- Links to further reading such as blogs, tutorials or CVSS scoring
What happens next?
We will respond within 2 business days and then provide updates every 20 days at most.
The team will review all vulnerabilities reported in accordance with the guidelines set out above. We will take steps to reproduce them and will work with the researcher until such a time that the vulnerability can be completely validated.
Once the review is complete and the vulnerability has been confirmed, the results will be sent to the researcher along with information about its resolution and any subsequent public disclosure.
Public disclosures will be made on our blog. If the researcher wishes to publish their findings on their own platforms then we would like this to be done simultaneously with our own disclosure.
Rewards are issued at our sole discretion – we do not guarantee that the researcher’s report will result in a reward being issued.
- Researchers with verified vulnerabilities will have the option to be honoured in a wall of fame with their name and a link of their choosing.
- If we decide that a reward should be offered then it will be in the form of branded merchandise (i.e. stickers, T-shirts etc).
- Monetary rewards will only be offered if the vulnerability is of the highest significance, which will be decided solely by us; RapidSpike.