Vulnerability Disclosure Policy
Last modified 5/7/2018
Keeping user information safe and secure is a top priority and a core company value for us at SigParser. We welcome the contribution of our users and external security researchers in helping us become more secure. This guide policy outlines the procedure and rules around finding and submitting security issues to SigParser.
This covers any application SigParser publishes including the web application and any possible mobile applications or integrations.
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
- Share the security issue with us in detail in private;
- Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners is not allowed;
- Do not publicly disclose the vulnerability;
- Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
- Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to SigParser;
- Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and Otherwise comply with all applicable laws.
We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
- Do not run brute force penetration tests. This will likely cause you to get blocked by host and be flagged as a security event by our monitoring tools.
- Do not run denial of service tests.
- Attempt to reverse engineer our APIs
Consequences of Complying with this Policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with SigParser’s vulnerability disclosure policy, SigParser will take steps to make it known that your actions were conducted in compliance with this policy.
Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy.