Responsible Disclosure Policy

Version 2.10 - December 2017

Responsible Disclosure

We are dedicated to maintaining the security and privacy of the Aptible services and customer data. We welcome security researchers from the community who want to help us improve our products and services.

If you discover a security vulnerability, please give us the chance to fix it by emailing us at security@aptible.com. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.

Thank you for your work and interest in making the community safer and more secure!

Bounty Program

Aptible awards security researchers cash and prizes for reporting vulnerabilities. Please email security@aptible.com to report an issue.

If you would like to be eligible for a bounty, please read this carefully.

Rules

NEVER attempt to gain access to another user's account or data.
NEVER attempt to degrade the services.
NEVER impact other users with your testing.
Test only on in-scope domains, listed below.
Do not use fuzzers, scanners, or other automated tools to find vulnerabilities.

Doing any of the above will render you ineligible for cash bounties and prizes.

In-Scope Services

Only the following services are in-scope:

api.aptible.com
auth.aptible.com
billing.aptible.com
dashboard.aptible.com
gridiron.aptible.com

Please do not test or report issues with services not listed here.

Out-of-Scope Issues

The following types of reports/attacks are out of scope. Do not attempt them:

Reports about any service not listed under "In-Scope Services," above
DOS attacks
Brute force attacks
Physical vulnerabilities
Social engineering attacks, including but not limited to:
- phishing
- email auth (SPF, DKIM, etc.)
- hyperlink injection in emails
CSRF on forms that are available to anonymous users (e.g., signup, login, contact, Intercom)
Self-XSS and issues exploitable only through self-XSS
Clickjacking and issues only exploitable through clickjacking
Functional, UI and UX bugs and spelling mistakes
Descriptive error messages (e.g. stack traces, application or server errors)
HTTP 404 codes/pages or other HTTP error codes/pages
Banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Presence of application or web browser "autocomplete" or "save password" permission
User enumeration on login
Absence of rate limits

Top Researchers

Researchers are listed here based on adherence to these program guidelines, professionalism, and significance or novelty of the issue(s) reported:

Frans Rosen
Adam Enger
Mohammed Shameem Shahnawaz
Josha Bronson, Bronsec Inc.
Jubaer Al Nazi, ServerGhosts, Bangladesh
Ali Hassan Ghori
Nessim Jerbi
Praseudo

PGP

If you choose to email us, encrypting your email is not required. Should you deem it necessary, our public key for support@aptible.com is below:

Legal

Terms of Service Service Level Agreement Trademark Policy Acceptable Use Policy Support Policy Privacy Policy Responsible Disclosure Policy Subprocessor Directory Billing Policy Security Policy Supplemental Terms of Service for the Security Assessment Questionnaire Offering Data Processing Addendum