AppSDKGuidesSupportTrust
SecurityPostureBug Bounty Vulnerability ProgramOWASP V4 AssessmentReliabilityRolloutInfrastructureConformanceCertifications & AlignmentSOC 2 Type 2ISO 27001PCI DSSPrivacyPositioningData Access RightsTransparencyControlsPoliciesNarrativesLegalCookie PolicyPrivacy Policy

Last updated on Jan 01 2023

Vulnerability Disclosure and Bug Bounty Program

Introduction

  • Embargo is committed to maintaining the security and integrity of our systems and services. We value the contributions of the security community in helping us identify and address potential vulnerabilities. As such, we have established a vulnerability disclosure program that is intended to encourage responsible disclosure of vulnerabilities and help us improve the security of our products and services for the benefit of our customers.

  • Security researchers who believe they have discovered a security vulnerability in our products or services can submit a report to our security team through a dedicated email address or online form. Our security team will review the report and confirm the vulnerability within 5 business days. Researchers who submit confirmed vulnerabilities will be eligible for a reward based on the severity and impact of the issue, as determined by our security team. If the vulnerability is confirmed, we will provide a temporary fix and issue a public acknowledgement of the researcher within 10 business days.

Scope

  • This program applies to all systems and services owned and operated by Embargo. This includes, but is not limited to, our website, web applications, mobile applications, and APIs. Third party vendors and their services and systems are explicitly out of scope.

Program Rules

  • If you believe you have discovered a potential vulnerability in our systems, please do the following:
    • Do not disclose the vulnerability to anyone other than Embargo.
    • Do not exploit the vulnerability or use it to access or compromise any sensitive data.
    • Do not attempt to disrupt the availability or performance of our systems.
  • To disclose a potential vulnerability, please email us at security@xyzsaas.com. Include a detailed description of the vulnerability, including steps to reproduce it, if possible.
  • Embargo will review all submissions and respond within a reasonable amount of time. We will keep you informed of our progress as we investigate and address the issue.
  • If your submission is accepted as a valid vulnerability, you may be eligible for a bug bounty. The amount of the bounty will be determined based on the severity of the vulnerability and the quality of the report.
  • By participating in this program, you agree to keep the details of any vulnerabilities you discover confidential until they have been resolved by Embargo.

Responsible Disclosure

Embargo is committed to working with the security community to address potential vulnerabilities in a responsible and timely manner. We ask that you cooperate with us and follow the rules of this program to ensure the best possible outcome for all parties involved.

Eligibility

  • To be eligible for a bug bounty, you must be the first person to report the vulnerability to Embargo and provide sufficient information for us to reproduce and confirm the issue. You must also not be a current or former employee of Embargo.

Submission Process

  • Email your submission to security@embargokit.com
  • Include a detailed description of the vulnerability, including steps to reproduce it if possible
  • If possible, include any relevant screenshots or other supporting evidence Do not include any sensitive information in your submission

Review and Response

  • Embargo will review all submissions within a reasonable amount of time
  • If the submission is accepted as a valid vulnerability, we will provide confirmation and begin working on a resolution
  • If the submission is not accepted as a valid vulnerability, we will provide an explanation for our decision We will keep you informed of our progress and provide regular updates

Reward

  • If your submission is accepted as a valid vulnerability, you may be eligible for a bug bounty reward
  • The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report
  • We reserve the right to adjust the reward amount at our discretion Rewards will be paid out via PayPal or other mutually agreed upon method

Confidentiality

  • By participating in this program, you agree to keep the details of any vulnerabilities you discover confidential until they have been resolved by Embargo
  • This includes, but is not limited to, the details of the vulnerability, any supporting evidence, and any communications with Embargo regarding the issue
  • We ask that you respect the confidentiality of this process and not disclose any information without our permission.

Publication

  • All reports and resolutions may be made public on our website at the discretion of Embargo.

Exclusions

  • This program does not apply to vulnerabilities found in third-party systems or services that are integrated with Embargo's systems, unless the vulnerability is directly related to our systems or services
  • This program does not apply to vulnerabilities that are already known to Embargo or have been previously reported
  • This program does not apply to vulnerabilities that are the result of illegal or malicious activities, such as hacking or phishing

Legal

  • By participating in this program, you agree to the terms and conditions outlined in this document You also agree to release Embargo and its employees from any liability related to the discovery and reporting of vulnerabilities
  • This program is subject to change without notice
  • The laws of the state of [STATE] shall govern this program and any disputes arising out of or in connection with it.

Contact

  • If you have any questions or concerns about this program, please email us at security@xyzsaas.com
  • We will do our best to respond to your inquiries in a timely manner Thank you for your interest in helping us maintain the security and integrity of our systems and services.
Previous
 Posture
Next
OWASP V4 Assessment