Responsible Disclosure
Introduction
At Scalebranding, the security of our systems and the protection of our customers' data is a top priority. We deeply appreciate the efforts of the security research community in identifying vulnerabilities, and we are committed to working with ethical hackers to maintain a secure environment for all our users. This Responsible Disclosure Policy outlines how you can report vulnerabilities to us and the guidelines you should follow during your research.
Scope
The following systems, applications, and services are in scope for vulnerability testing:
- Main Website: www.scalebranding.com
- Payment Processing Systems: Stripe and PayPal integration
- User Accounts and Authentication Systems
Out of scope:
- Physical Security: Any attempts to physically access Scalebranding's offices or infrastructure.
- Social Engineering: Phishing, vishing, or any other forms of social engineering against our employees, contractors, or customers.
- Denial of Service Attacks: DoS and DDoS attacks are strictly prohibited.
- Third-Party Platforms: Systems hosted by third-party vendors (except those listed above) are out of scope.
Reporting Process
To report a vulnerability, please follow these steps:
Report Submission: Send your vulnerability report to [email protected].
Report Template: Your report should include the following information:
- Title: A brief summary of the vulnerability.
- Affected System: The specific system or application affected.
- Vulnerability Type: The category or type of vulnerability.
- Reproduction Steps: Detailed steps to reproduce the vulnerability.
- Impact: The potential impact of the vulnerability on our systems and users.
- Suggested Fix: Any recommendations for how to address the vulnerability.
Guidelines for Researchers
When conducting research on our systems, please adhere to the following guidelines:
- Do No Harm: Avoid actions that could disrupt services or compromise data integrity.
- No Data Exploitation: Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability.
- Compliance with Laws: Ensure your actions comply with all applicable local and international laws.
- Handle Sensitive Data with Care: If you encounter any sensitive data, stop your testing immediately and report it to us without accessing any further information.
Exclusions
The following types of vulnerabilities or reports are not eligible for rewards or acceptance:
- Issues related to outdated browsers or plugins.
- Reports of missing security headers (e.g., CSP, HSTS) without proof of exploitability.
- Vulnerabilities in third-party services that are not under our control.
- Reports involving physical security, social engineering, or denial-of-service attacks.
Response and Remediation
- Acknowledgment: We commit to acknowledging your report within 3 business days.
- Internal Process: Upon receipt, we will evaluate the report, prioritize it based on severity, and provide you with updates on our remediation efforts.
- Resolution Timeline: We aim to resolve all valid vulnerabilities within 90 days, with more severe issues being prioritized for faster resolution.
Legal and Confidentiality Considerations
- Safe Harbor: If you act in good faith and comply with this policy, we will not initiate legal action against you. This includes protections against legal liability for your research, provided that you adhere to the guidelines outlined above.
- Confidentiality: We respect your privacy and will not share your personal information without your explicit consent. We also offer options for anonymous reporting.
- Legal Obligations: In certain cases, particularly sensitive issues may require additional legal agreements, such as a Non-Disclosure Agreement (NDA).
Incentives
We offer rewards for valid reports, which are determined based on factors such as severity, exploitability, and impact. Rewards may include:
- Monetary Rewards: Based on the criticality of the issue.
- Non-Monetary Recognition: Inclusion in our “Hall of Fame” or a certificate of appreciation.
Coordination with Third Parties
If the vulnerability involves a third-party vendor or software, we will coordinate with them to address the issue. We will keep you informed about the progress and may invite you to be part of the communication process with the third party.
Public Disclosure
We believe in responsible disclosure. You may publicly disclose the vulnerability only after it has been resolved and with our agreement. We encourage collaborative disclosure, where we work together to ensure the vulnerability is communicated effectively and securely to the public.
Policy Maintenance
This policy may be updated periodically to reflect changes in our approach to security or to incorporate feedback from the security research community. All updates will be documented, with the latest version and update date clearly indicated.
Accessibility
We are committed to making this policy accessible to a global audience. If you require a translation or have difficulty understanding any part of this policy, please contact us at [email protected] for assistance.