Responsible disclosure

Help us keep our systems secure and avoid any unnecessary risk to end users.

Responsible disclosure is a method of reporting system vulnerabilities that allows recipients sufficient time to identify and implement necessary countermeasures before the information is made public.

Security is at the core of our values, and we value the input of security researchers to help us maintain a high level of security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of integrity in discovering and reporting vulnerabilities, and how we handle your reports.

By following this controlled and ethically correct reporting model, the sender helps companies to identify and resolve system failures, thus making a valuable and effective contribution to increasing the security of our services and preventing damage or disruption to the systems involved.

To submit a detected vulnerability, write to info@findspo.com

Below you will find the rules to follow.

Procedures

When customers, researchers or experts use Findspo technology to discover one or more vulnerabilities in a website/platform, we encourage them to submit

Please follow the procedures set forth below for information.

By following the procedures below, anyone reporting a system vulnerability must disclose it in a responsible manner so that other customers are not exposed to unnecessary security risks.

Whistleblowers should refrain from any activity that could disrupt affected systems or services or cause data leakage/loss, and avoid accessing data that is not necessary to demonstrate the existence of a vulnerability.

Any activity on affected systems/services must fully comply with this policy.

In addition, no intensive or invasive scanning tools are allowed.

Responsible disclosure means that the reporter does not disclose the data to other parties without consent.

Specifically, whoever initiates the program must: Upon notification, you agree to follow up as follows: Send an email to the complainant/entity to confirm receipt of the email with the above information Within 10 days of confirmation, Findspo will send a second email assessing the relevance of the vulnerability and the results of the first scan. Vulnerability reports are properly handled to meet the above deadlines, and if an eligible vulnerability report has not been handled, thank the sender.

Does not provide financial incentives

In addition, it reserves the right not to regulate reports that do not conform to the standards outlined in this program.

Emphasize the importance of responsible behavior even after any patches have been released, as the implementation process can be long and complex.

Therefore, we request that the information published in this regard be carefully evaluated for the safety of users.

Below are some examples of vulnerability categories that are considered eligible for publication in the Hall of Fame:

  • Cross Site Scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Injection (i.e. SQL injection, user input)
  • Authentication and faulty session management
  • Faulty access control
  • Security misconfiguration
  • Redirection/man-in-the-middle attacks
  • Remote code execution
  • Unprotected API
  • Privilege escalation

On the other hand, the following are outside the scope of this Responsible Disclosure Initiative.

It is not inherently secure (i.e., service unavailability, user interface failures, etc.) and therefore can be managed through traditional customer service channels.

Issues related to phishing or spam and vulnerabilities inherent to social engineering techniques should be reported through the platform's contact details.

Results of automated penetration testing/vulnerability assessment tools.

Report a weak configuration using the TLS protocol, or report a breach of best practices, such as missing security headers. We reserve the right to update this Responsible Disclosure procedure at any time.