RapidSpike

Vulnerability Disclosure Policy

Introduction

As a Website Monitoring provider we believe in taking our own user’s Digital Experience seriously. Our own security and therefore the security of your data in our system is one of our main concerns and highest priorities. We will thoroughly investigate all security vulnerabilities reported to us in accordance with the guidelines outlined here.

Programme Scope

Our platform is made up of multiple subsystems and this programme’s scope includes our platform, public web assets,
and third party services. We will only consider vulnerabilities where the attack can exploit our customers directly.
Please do not submit reports derived from automatic scanning tools, such as SSL Labs or Nessus; we scan our systems regularly,
and will already be aware of (and be in the process of fixing) these issues.

In-Scope Assets

Out-of-Scope Assets

Out-of-Scope Vulnerabilities

  • Attacks that only affect individual user accounts (such as self-XSS)
  • The presence of application or web browser ‘autocomplete’ messages
  • Logout Cross-Site Request Forgeries
  • Banner disclosure on public services
  • Issues only exploitable through clickjacking
  • Issues only exploitable through compromised third party accounts
  • Issues only exploitable through user error / bad practice
  • Issues identified via DDoS-style (Distributed Denial of Service) attack methods
  • Descriptive error messages

Reporting to RapidSpike

The researcher should email security@rapidspike.com with the vulnerability found. We will only accept vulnerabilities
reported to us that include all of the following:

Please Include

  1. Scope context – see above, only in scope assets will be considered for investigation.
  2. A detailed description of the vulnerability including its effects.
  3. Steps to reproduce including any configuration details, proof-of-concepts or exploit code.
  4. Explanation as to how the vulnerability affects the data integrity/security of our platform

Additional Information

  • Potential fix implementations or ideas
  • Links to further reading such as:
    • blogs,
    • tutorials
    • CVSS scoring

What Happens Next?

1. Contact

We will respond within 2 business days and then provide updates every 20 days at most.

2. Review Process

The team will review all vulnerabilities reported in accordance with the guidelines set out above. We will take steps to reproduce them and will work with the researcher until such a time that the vulnerability can be completely validated.

3. Disclosures

Public disclosures will be made on our blog. If the researcher wishes to publish their findings on their own platforms then we would like this to be done simultaneously with our own disclosure

4. Review Completion

Once the review is complete and the vulnerability has been confirmed, the results will be sent to the researcher along with information about its resolution and any subsequent public disclosure.

Rewards

Rewards are issued at our sole discretion – we do not guarantee that the researcher’s report will result in a reward being issued.

Wall of Fame

Researchers with verified vulnerabilities will have the option to be honoured in a wall of fame with their name and a link of their choosing.

Merchandise

If we decide that a reward should be offered then it will be in the form of branded merchandise (i.e. stickers, T-shirts etc).

Monetary Rewards

Monetary rewards will only be offered if the vulnerability is of the highest significance, which will be decided solely by us; RapidSpike