Responsible disclosure policy
At SeekStorm, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you've discovered a vulnerability, please follow the guidelines below to report it to our security team:
- Please E-mail your findings to firstname.lastname@example.org
Responsible Disclosure Program Guidelines
Please follow these rules when testing/reporting vulnerabilities:
- Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability.
- Do not read, modify or delete data that isn't you own.
- We ask that you do not to disclosure the problem to third parties until it has been resolved.
- Do not perform harmful activities as part of your security research, including but not limited to denying or degrading service to production systems, viewing or copying confidential personal or business data without permission, modifying or deleting data, using accounts that you are not authorized to use.
- SeekStorm's responsible disclosure process entails a 90-day embargo period during which we verify and fix the vulnerability before you disclose it to any third parties.
- Please make your report as complete as possible, including HTTP requests and responses. We reserve the right to disregard vulnerability reports that have insufficient evidence to reproduce.
- Do not request compensation for security vulnerability reports. SeekStorm does not offer bug bounties. But we will publicly acknowledge your contribution.
- The scope of the program is limited to technical vulnerabilities in SeekStorm's public-facing web applications, web sites and services.
Out of scope
- Please do not try to test physical security or attempt phishing attacks against our employees, and so on.
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Do not exfiltrate any data under any circumstances.
- Do not intentionally compromise the intellectual property or other commercial or financial interests of SeekStorm or any third party.
- Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, and do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.
- UI and UX bugs and spelling mistakes are out of scope
What we promise
- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
- If you have followed the instructions above, we will not take any legal action against you in regard to the report.
- We will keep you informed during all stages of resolving the problem.
- To show our appreciation for your effort and cooperation during the report, we will list your name and a link to a personal website/social network profile on the page below so that the public can know you've helped keep SeekStorm secure.
We sincerely appreciate the efforts of security researchers in keeping the Web safe. The following people have responsibly disclosed vulnerabilities to us in the past: