Responsible Disclosure Policy

We take great care to keep our software and the data we collect as safe and secure as possible. If you have discovered a security vulnerability, we ask you not to share this publicly, but to share it with us. Please send us an e-mail at dev@secretview.io and include the following information:

• The nature of the vulnerability
• A description of the vulnerability
• How we can reproduce the vulnerability
• The browser(s) and version(s) you tested on
• The operating system(s) and version(s) you tested on

Please, also include something about yourself:

• Name
• Email
• Address
• Experience

Play by these rules:

• Do not delete or access or attempt to delete or access any data you are not authorized to access
• Do not disrupt or attempt to disrupt our services
• Do not access or modify any data
• Do not execute or attempt to execute Denial of Service (DoS) attack
• Do not run any automated tools against our servers without prior coordination
• Do not abuse or attempt to abuse our servers’ resources
• Do not publicly share any details of the issue
• Do not attempt to blackmail us or try to sell us your report

In return:

• We will not take any legal action against you if you play by the rules above
• We will perform a risk assessment for every reported vulnerability
• We will reply to all correctly submitted reports within 2 weeks

If you do not adhere to these rules, we will not process the report. We do not offer any compensation for security reports.

What doesn’t qualify as a valid report

• Vulnerabilities that have been previously reported.
• Known vulnerabilities in the components of our technological stack reported within 72 hours since their release.
• Security issues that we can only reproduce under very specific conditions.
• Bugs or functionality that prove that an email address or other personal information is known to Secret View, as well as the ability to use brute-force to gather the information.
• Vulnerabilities that are an accepted risk, including but not limited to:
  - Ability to sign up and use our services without confirming an email address.
  - Lack of CAPTCHAs on forms.
  - Lack of use of hardfail {(-all)} on SPF records.
  - Lack of a {reject} record in DMARC
  - Lack of DNS records like CAA.
• Clickjacking and issues only exploitable through clickjacking
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies
• OPTIONS HTTPS method enabled
• Host header injection
• Anything related to HTTP security headers, e.g.,
  - Strict-Transport-Security
  - X-Frame-Options
  - X-XSS-Protection
  - X-Content-Type-Options
  - Content-Security-Policy

How do handle report for external providers?

On our website and our platform, we use several external providers. If your report regards an issue related to one of these providers, we’ll forward the report to them and consider the report process completed.  

Not an invitation to actively scan

Our Responsible Disclosure Policy is not an invitation to actively scan our systems for weaknesses. We monitor our system and are continuously improving it. For every possible vulnerability we outweigh the risk and impact and determine if this is acceptable or should be fixed. This is fully up to our discretion.

If you have multiple reports, we’ll try to handle them at the same time, however as stated above we discourage actively scanning.

We encourage to report all vulnerabilities, but we discourage the use of automated tools. We use them as well. Using automated tools to find and/or to report vulnerabilities may lead to duplicate reports. In these cases, your report could be deemed invalid.

Should you have any questions about the rules above, please do not hesitate to contact us by sending an e-mail to dev@secretview.io. We will reply to all correctly submitted reports within 2 weeks. If two weeks have passed, feel free to ask for an update but until then please be patient while we analyze the report and run it by our team.

Thank you!