Responsible Disclosure Policy
25-07-2023
We take great care to keep our software and the data we collect as safe and secure as possible. If you have discovered a security vulnerability, we ask you not to share this publicly but to share it with us. Please send us an e-mail at dev@secretview.io and include the following information:
- The nature of the vulnerability
- A description of the vulnerability
- How we can reproduce the vulnerability
- The browser(s) and version(s) you tested on
- The operating system(s) and version(s) you tested on
Please also include something about yourself:
- Name
- Address
- Would you like to be recognized for your report?
Play by these rules:
- Do not delete or access or attempt to delete or access any data you are not authorized to access
- Do not disrupt or attempt to disrupt our services
- Do not access or modify any data.
- Do not execute or attempt to execute Denial of Service (DoS) attack.
- Do not run any automated tools against our servers without prior coordination.
- Do not abuse or attempt to abuse our servers’ resources.
- Do not publicly share any details of the issue.
- Do not attempt to blackmail us or try to sell us your report.
In return:
- We will not take any legal action against you if you play by the rules above.
- We will perform a risk assessment for every reported vulnerability.
- We will reply to all correctly submitted reports within 2 weeks.
- If your report is not eligible, we will let you know why.
Reward
- We do not offer compensation for security reports, besides a possible mention in our disclosure policy below. We only offer this if the issue is unknown to us and we validated it to be a valid report for our use case.
What doesn’t qualify as a valid report
- Vulnerabilities to timing and DOS attacks.
- Vulnerabilities that have been previously reported.
- Known vulnerabilities in the components of our technological stack reported within 72 hours since their release.
- Security issues that we can only reproduce under very specific conditions.
- Bugs or functionality that prove that an e-mail address or other personal information is known to Secret View as well as the ability to use brute-force to gather the information.
- Vulnerabilities that are an accepted risk, including but not limited to:
-Ability to sign up and use our services without confirming an email address.
-Lack of CAPTCHAs on forms.
-Lack of use of hardfail {(-all)} on SPF records.
-Lack of a {reject} record in DMARC
-Lack of DNS records like CAA. - Clickjacking and issues only exploitable through clickjacking
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies
- OPTIONS HTTPS method enabled
- Host header injection
- Anything related to HTTP security headers, e.g.
-Strict-Transport-Security
-X-Frame-Options
-X-XSS-Protection
-X-Content-Type-Options
-Content-Security-Policy
Not an invitation to actively scan
Our Responsible Disclosure Policy is not an invitation to actively scan our our systems for weaknesses. We monitor our system and are continuously improving it. For every possible vulnerability we outweigh the risk and impact and determine if this is acceptable or should be fixed.
Should you have any questions about the rules above, please do not hesitate to contact us by sending an e-mail to dev@secretview.io. We will reply to all correctly submitted reports within 2 weeks. Please be patient while we analyze the report and run it by our team. Thank you!
And a special thanks to these people who have helped us improve our security:
- Gaurav Shukla
- Husnain Iqbal (CEO of Alpha Inferno PVT Ltd)
- Mohit Kumar
- Gaurang Maheta
- Shrivallabh Walkade
- Nilesh Agrawal Koyo (https://twitter.com/koyohere)
- Safwat Refaat (@Caesar302)
- Kunal Mhaske
- Mohd Shamim
- Durvesh Kolhe
- Nikhil Rane
- Priyanshu Dhiman
- Kartik Bansal
- Kartik Garg
- Parmeshwar Dattu Kanhere
- Minaketan Nag
- Samir Gondaliya
- Aniket Tomar