Under the principle of Coordinated Vulnerability Disclosure, researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product. The researcher allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. Upon release of an update, the vendor may recognize the finder for the research and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the researcher and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.
For more information on Coordinated Vulnerability Disclosure (CVD), please review the information provided in the following links:
- ISO/IEC 29147:2018 on Vulnerability Disclosure
- The CERT Guide to Coordinated Vulnerability Disclosure
- Federal Office for Information Security (BSI) Vulnerability Management
We invite you to help us strengthen existing security measures and adapt them to new electronic threats. The security and privacy of confidential data is important to us and we take our responsibility to protect this data seriously. We use technical, administrative and physical controls to protect this data.
We want to hear from security researchers who have information about suspected security vulnerabilities in the services or products we provide. We value your work and are willing to work with you. Please report security vulnerabilities to us in accordance with this Responsible Disclosure Program. We thank you in advance for your contribution.
Reporting a Vulnerability
Please send us vulnerabilities you identify encrypted to the recipients listed in the security.txt. If you discover personally identifiable information while exploring a suspected security vulnerability, we ask that you cease your investigation and report the vulnerability that led to such discovery immediately.
The report should include sufficient information for us to validate and reproduce the issue, including:
- The service affected, such as the URL, IP address or product version.
- A detailed description of the vulnerability.
- A description of how the vulnerability was discovered (including tools that were used) or what steps you were taking when you encountered the vulnerability.
- A description of the impact of the vulnerability and likely attack scenario.
- Proof of concept, or PoC, code, if applicable; alternatively, please supply reproduction instruction demonstrating how the vulnerability might be exploited.
- A suggested patch or remediation action if you are aware of how to fix the vulnerability.
If you identify a vulnerability in accordance with this program, we commit to working with you to understand, validate and address the vulnerability appropriately per the assessed risk.
By submitting your report:
- You agree not to publicly disclose the vulnerability until we agree to a public disclosure.
- You agree to keep all communication with us confidential.
- You represent the report is original to you and that if you submit a third-party report, you represent that you have the permission to do so.
- You allow us the unconditional ability to use, distribute or disclose information provided in your report.
- You agree that we, in its sole determination, may reward or recognize reports made in accordance with this Responsible Disclosure Program.
Our Expectations With Your Discovery
If you are considering submitting a vulnerability report, your values clearly align with ours. You know how critical security is and you want to protect consumer information. Understanding this shared perspective, we do not want you to take on or create unnecessary risk in order to discover a vulnerability. While we support acts taken in good faith to discover and report vulnerabilities, we expressly prohibit any of the following conduct:
- Taking any action that will negatively affect us.
- Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
- Disclosing any personally identifiable information discovered to any third party.
- Destruction or corruption of data, information or infrastructure, including any attempt to do so.
- Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for us).
- Any exploitation actions, including accessing or attempting to access The Standard data or information, beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
- Attacks on third-party services.
- Denial of Service attacks or Distributed Denial of Services attacks.
- Any attempt to gain physical access to our property or data centers.
- Use of assets that you do not own or are not authorized or licensed to use when discovering a vulnerability.
- Violation of any laws or agreements in the course of discovering or reporting any vulnerability.
Out of Scope Vulnerabilities
The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:
- Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
- Third-party applications, websites or services that integrate with or link.
- Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
NOTE: We reserve the right, in its sole discretion, to modify the terms of these Responsible Disclosure Guidelines at any time.
Security Researcher Hall of Fame
We thank all those who help us secure and protect our online assets in accordance with our Responsible Disclosure Program. The following individuals have set themselves apart with their outstanding personal contributions in identifying suspected security vulnerabilities. We are honored to include them in our Security Researcher Hall of Fame: