Details

Upside Security Program

At Upside, we take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
Perform research only within the scope set out below
Use the identified communication channels to report vulnerability information to us

If you follow these guidelines when reporting an issue to us, we commit to:

Not pursue or support any legal action related to your research
Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 3 business days of submission)
Handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission

Scope

upside.com
upside-services.com
Latest version of Upside iOS App
Latest version of Upside Android App
AWS infrastructure and services in use by Upside (e.g., S3 buckets)

Out of Scope

Third-Party Services

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

Social logins like Facebook, Google etc.
appsflyer.com
Mixpanel.com
Branch.io
Iterable.com
Segment.io
optimizely.com
Bugfender.com
Plaid

Excluded Test Types

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

Findings from physical testing such as office access (e.g. open doors, tailgating)
Findings derived primarily from social engineering (e.g. phishing, vishing)
Findings from applications or systems not listed in the 'Scope' section
UI and UX bugs and spelling mistakes
Denial of Service (DoS/DDoS) vulnerabilities
Issues related to SPF/DKIM/DMARC
Attacks against our end users, or engage in the trade of stolen user credentials
Attacks against customer support; through contact forms or methods
Vulnerabilities only affecting unsupported browsers or platforms
Attacks requiring physical access to a user's device
User data stored unencrypted on the file system on rooted devices

Confidentiality

You must treat all information about our systems, staff or customers, that is not publicly available, as strictly confidential and not share or use it for any purpose other than emailing it as a submission as described below.

How to Report a Security Vulnerability

If you believe you've found a security vulnerability in one of our products or platforms please send it to us by emailing [email protected]. Please include the following details with your report:

Description of the location and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
Your name/handle and a link for recognition

Guidelines

We require that all researchers:

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing

Perform research only within the scope set out below

Use the identified communication channels to report vulnerability information to us

If you follow these guidelines when reporting an issue to us, we commit to:

Not pursue or support any legal action related to your research

Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 3 business days of submission)

Handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission

Out of Scope

Third-Party Services

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

Social logins like Facebook, Google etc.

appsflyer.com

Mixpanel.com

Branch.io

Iterable.com

Segment.io

optimizely.com

Bugfender.com

Plaid

Excluded Test Types

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

Findings from physical testing such as office access (e.g. open doors, tailgating)

Findings derived primarily from social engineering (e.g. phishing, vishing)

Findings from applications or systems not listed in the 'Scope' section

UI and UX bugs and spelling mistakes

Denial of Service (DoS/DDoS) vulnerabilities

Issues related to SPF/DKIM/DMARC

Attacks against our end users, or engage in the trade of stolen user credentials

Attacks against customer support; through contact forms or methods

Vulnerabilities only affecting unsupported browsers or platforms

Attacks requiring physical access to a user's device

User data stored unencrypted on the file system on rooted devices

How to Report a Security Vulnerability

If you believe you've found a security vulnerability in one of our products or platforms please send it to us by emailing [email protected]. Please include the following details with your report:

Description of the location and potential impact of the vulnerability

A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)

Your name/handle and a link for recognition