Ribose

If you have discovered a security vulnerability, please report it to us by using our security vulnerability reporting form which you can find below. We believe in responsible disclosure and kindly ask to you to allow us a period of time to investigate and patch the vulnerability before you publish details. Verifying and testing of the patch can take from several hours to several days where we perform extensive testing to guarantee the stability and operation of our service.

We actively work together with security researchers and we also participate in the bug bounty program of Bugcrowd. We will always respond to security reports: the security of our users and their data are of greatest importance to us.

Please read the following Responsible Security Disclosure program description before you begin with your security testing:

RESPONSIBLE SECURITY DISCLOSURE PROGRAM

To be considered, submitting vulnerabilities must adhere to the following rules:

• We need to be able to verify the reported vulnerability, and the report itself needs to be provided with as much information as possible such as what browser and platform used. It is greatly appreciated if you include a video;
• Distributed Denial-of-Service (DDoS) attacks and capacity testing are not allowed;
• Automated scanners are not allowed due to the high amount of false positives generated;
• Your testing should not negatively impact another user's Ribose experience. For example, do not send messages to other Ribose users containing cross-site scripting (XSS) without their consent;
• You must be the first researcher to report the issue, the earliest sent report is considered the first report;
• The vulnerability needs to be an actual bug. Suggestions and ideas for improvements in our security are important to us, these however do not qualify as a security vulnerability.