Guides
Start typing to search…

Responsible Disclosure Procedure

Version 1.1, 15 December 2025

We take the security of our systems very seriously at Red Sift but sometimes vulnerabilities can slip through our rigorous checks. If you discover a vulnerability we want to know about it so we can address it. We would like to count on the security community out there to help us better protect our users and systems.

We ask you not to take advantage of the vulnerability, not to tell others about it or use malicious methods to look for or exploit them. Please email your findings with sufficient information about its impact and how to reproduce it to [email protected].

Reporting guidelines

  • Reports need to show details of the vulnerability found, steps to reproduce, and a description of both the vulnerability and the risk.
  • Please make the report as detailed and specific as possible. Reports must demonstrate original analysis and a clear understanding of the issue. Low-effort, generic, or automatically generated reports without meaningful context will not be considered..

Our commitment to you

  • We will acknowledge your report within 3 days of receiving it, and we will provide you with our evaluation and resolution in a timely manner;
  • If you have followed these guidelines, we will not take legal action against you in regard to the report;
  • We will keep you informed of the progress towards resolving the problem;
  • If you wish, we will publish your details in our Hall of Thanks, should your report meet these guidelines;

Commitment we ask from you

  • Not to attempt to gain access to our user’s account or data;
  • Not to perform any attack that could harm the reliability/integrity of our services or data (i.e.: DDoS/spam attacks);
  • Not to publicly disclose a vulnerability before it has been fixed;
  • Not to use scanners or automated tools to find vulnerabilities;
  • Not to attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure;
  • If in doubt, contact us.

Rewards

We will award an amount on a case by case basis depending on the severity of the issue. Please note that we only award one bounty per bug.

Eligible Bounties

Any software issue that results in the loss/compromise of data for Red Sift or any of its customers. The most common examples are:

  • Cross-site scripting
  • Cross-site request forgery
  • Remote code execution
  • Clickjacking
  • Code injection
  • Leaks of sensitive data

Ineligible bounties

We cannot reward bounties for things that are outside of our direct control, such as:

  • Social engineering
  • Physical access to hardware
  • Vulnerabilities in third party software (Ruby, nginx, wordpress, etc)
  • Denial of Service
  • Usability issues

Updated 3 days ago