Security Vulnerability Reporting Policy

Security Innovation values the work done by outside security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.

If you are a security researcher and would like to report a security vulnerability, please send an email to [email protected]. Please provide your name, contact information, and company name (if applicable) with each report. Priority will be granted to encrypted reports - please include your PGP public key with such reports. Alternatively, you may use the contact method provided by HackerOne to get in touch with us.

Download the PGP key for [email protected] from our website, here. It is also available via common online key-servers.

The PGP Key Fingerprint is: E0CF 3F74 3032 B259 8D93 2D24 BCCB 881F B0B0 75F4

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following Responsible Disclosure Guidelines:

• Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Do not modify or access data that does not belong to you.
• Give us a reasonable time to correct the issue before making any information public.
• We will attempt to respond to your report within 1-2 business days.

In-Scope Targets

• www.securityinnovation.com
• securityinnovation.com

All other hosts/sub-domains are OUT OF SCOPE without prior, written/cryptographically signed approval from Security Innovation, Inc.

Any services hosted by 3rd parties (such as Amazon Web Services) are also subject to the security guidelines of those organizations.

Excluded Issues:

• Findings from applications or systems not listed in the above “In-Scope Targets” section.
• Network level Denial of Service (DoS/DDoS) vulnerabilities.
• Findings from physical testing such as office access (e.g. open doors, tailgating).
• Findings derived primarily from social engineering (e.g. phishing, vishing, smishing).
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Disclosure of known public files or directories, (e.g. robots.txt).
• CSRF on forms that are available to anonymous users (i.e. a contact us form).
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Lack of Secure and HTTPOnly cookie flags on cookies which are not associated with login sessions.
• Anything related to SPF.

Reporting Format

1. What type of issue are you reporting? Does it align to the scoped issue?
2. How does a user reproduce your issue?
3. What is the impact of your issue?
4. What are some scenarios where an attacker would be able to leverage this vulnerability?
5. What would be your suggested fix?

Program Rewards

Security Innovation does not offer direct rewards for reported vulnerabilities at this time.

However, we are always interested in having the world’s best security engineers join our team - so an opportunity to set-up an interview may be a reward provided!