Responsible Disclosure Program
About This Program
This Responsible Disclosure Program (RDP) is offered in an effort to improve online security through responsible testing and submission of previously unknown vulnerabilities. The RDP creates clear guidelines for eligible participants to conduct cyber security research on our systems and applications.
Program Rules and Restrictions
- Do not exploit vulnerabilities, e.g. by downloading/accessing more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data. If a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability. If you encounter any high risk data during testing, such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information, cease testing and submit a report immediately.
- Compliance with all applicable laws and company policies is mandatory, including: our conditions of use and the U.S. Computer Fraud and Abuse Act.
- Any unauthorized activity outside the terms of this program may be subject to legal action pursuant to applicable laws and company policies. If, at any time, you have concerns or are uncertain whether your security research is consistent with the terms of this program, stop testing and contact [email protected] or submit your question via the Vulnerability Report Form.
- Non-Disclosure Agreement: All information relating to vulnerabilities that you become aware of through the RDP is considered confidential ("Confidential Information"). You agree to refrain from disclosing Confidential Information publicly or to any third party without prior, written approval from us: [email protected] You agree to honor any request from our Information Security Team to promptly return or destroy all copies of Confidential Information and all notes related to the Confidential Information.
- Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.
The following classes of vulnerabilities are of particular interest to us, and are eligible for attribution upon review:
- Remote Code Execution (RCE)
- SQL injection
- XML External Entity Injection (XXE)
- Authorization bypass/escalation
- Sensitive information leaks
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Additional eligibility and rating information can be found here.
Testing Rules & Restrictions (Permission will Not be Granted)
We do NOT want you to test for or report any of the following and you are not authorized, nor will permission be granted, to conduct the following prohibited testing or actions:
- Tests that will disrupt services or impair others' ability to use them
- Use of automated scanners (Note: Approved researchers/testers may, with permission, use approved scanners with approved throttling so as not to disrupt service)
- Local network-based exploits such as DNS poisoning or ARP spoofing.
- Physical exploits of our servers or network
- Attacking physical security or third-party applications, use of social engineering, or orchestrating (distributed) denial of service attacks
- Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages
- Knowingly posting, transmitting, uploading, linking to, sending, or storing any malware, viruses, or similar harmful software
Vulnerabilities reported with the following criteria are not eligible for attribution:
- Does not pose a substantial or demonstrable security risk
- Only affects the executing user (self-XSS and similar)
- Requires the pretense that you already have access to the affected account (or control of the user's browser)
- Only affects outdated browsers/platforms
- Clickjacking, open redirects, or lack of security headers
- UI and UX bugs and spelling mistakes
- Intentional listing of directory contents for research or publication purposes
Submit vulnerabilities via the Vulnerability Report Form. To qualify for the program, submissions must include details about the vulnerability, proof of concept or steps taken to replicate the vulnerability, and suggestions on a resolution.
DO NOT INCLUDE ANY OF THE FOLLOWING IN YOUR REPORT:
(Only let us know if these types of data are present. We will follow up with you if details are needed.)
- Personally identifiable information (PII)
- Credit card holder data
- Information that could potentially violate the company's policies