Responsible Disclosure Procedure

Version 1.0, 31 March 2017

We take the security of our systems very seriously at Red Sift but sometimes vulnerabilities can slip through our rigorous checks. If you discover a vulnerability we want to know about it so we can address it. We would like to count on the security community out there to help us better protect our users and systems.

We ask you not to take advantage of the vulnerability, not to tell others about it or use malicious methods to look for or exploit them. Please email your findings with sufficient information about its impact and how to reproduce it to security@redsift.com, ideally encrypted using our PGP key to prevent information from falling in the wrong hands.

Our commitment to you

  • We will respond to your report within 3 days with our evaluation and resolution date;
  • If you have followed these guidelines, we will not take legal action against you in regard to the report;
  • We will keep you informed of the progress towards resolving the problem;
  • We are working on a Hall of Thanks and we will publish your details there should your report meet these guidelines;

Commitment we ask from you

  • Not to attempt to gain access to our user’s account or data;
  • Not to perform any attack that could harm the reliability/integrity of our services or data (i.e.: DDoS/spam attacks);
  • Not to publicly disclose a vulnerability before it has been fixed;
  • Not to use scanners or automated tools to find vulnerabilities;
  • Not to attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure;
  • If in doubt, contact us.

Rewards

We will award an amount on a case by case basis depending on the severity of the issue. Please note that we only award one bounty per bug.

Eligible Bounties

Any software issue that results in the loss/compromise of data for Red Sift or any of its customers. The most common examples are:

  • Cross site scripting
  • Cross site request forgery
  • Remote code execution
  • Click jacking
  • Code injection
  • Leaks of sensitive data

Ineligible bounties

We can not reward bounties for things that are outside of our direct control, such as:

  • Social engineering
  • Physical access to hardware
  • Vulnerabilities in 3rd party software (Ruby, nginx, etc)
  • Denial of Service
  • Usability issues

Responsible Disclosure Procedure

Version 1.0, 31 March 2017