Responsible Disclosure Program

Responsible Disclosure

Addigy is extremely passionate and interested in maintaining the trust and confidence that our customers place in us. The security of our online platform is of the utmost importance. If you are a security researcher and have discovered a security vulnerability in one of our services or sites, we encourage you to disclose it to us in a responsible manner. Addigy will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate and fix vulnerabilities in accordance with our commitment to security and privacy. We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Addigy reserves all legal rights in the event of any non-compliance.

Paid submissions are only for our Private Bug Bounty Program.

This Responsible Disclosure Program is point-based only for submissions above P5 priority as defined in BugCrowd’s Vulnerability Rating Taxonomy.

If you would like to participate in our Private Bug Bounty Program, please send an email to [email protected] and we will notify you of our next program.

Safe Harbor

When conducting vulnerability research against this program, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith. You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report to [email protected] before going any further.

Reporting

Addigy encourages security researchers to share the details of any suspected vulnerabilities with the Addigy Security Team by submitting the form at the bottom of this page. Addigy will review the submission to determine if the finding is valid and has not been previously reported. We require security researches to include detailed information with steps for us to reproduce the vulnerability.

Issues not to Report

The following is a partial list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:

  • CSRF on forms that are available to anonymous users
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Domain Name System Security Extensions (DNSSEC) configuration suggestions
  • Banner disclosure on common/public services
  • HTTP/HTTPS/SSL/TLS security header configuration suggestions
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Phishing or Social Engineering Techniques
  • Presence of application or web browser autocomplete or savepassword functionality

Commitment

If you identify a valid security vulnerability in compliance with this Responsible Disclosure policy, Addigy commits to:

  • Working with you to understand and validate the issue
  • Addressing the risk (if deemed appropriate by Addigy)

Non-compliance

  • Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Addigy will deem the submission as non-compliant with this Responsible Disclosure Policy. This form is not intended to be used by employees of Addigy and vendors currently working with Addigy, or residents of countries on the U.S. sanctions list.

In addition, to remain compliant you are prohibited from:

  • Accessing, downloading, or modifying data residing in an account that does not belong to you
  • Executing or attempting to execute ANY “Denial of Service” attack
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software
  • Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
  • Testing in a manner that would degrade the operation of any Addigy Systems
  • Testing third-party applications, websites, or services, that integrate with or link to Addigy Systems
  • Testing in production systems without approval

Security Researchers

If you are a security researcher and attempt to test in production, your account will be disabled for non compliance.

If you test in an environment that does not contain “stage” in the URL or environments not explicitly provided, your submissions will be invalidated.

Please reach out to [email protected] and request a test account and we will provide you with a testing environment.

Submissions

Please fill the form below if you have a security issue you wish to report to the Addigy Security Team.