Responsible Disclosure Policy
Version 2.9 – November 2016
We are dedicated to maintaining the security and privacy of the Aptible platform. We welcome security researchers from the community who want to help us improve our services.
If you discover a security vulnerability, please give us the chance to fix it by emailing us at email@example.com. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.
Thank you for your work and interest in making the community safer and more secure!
Aptible rewards security researchers for reporting vulnerabilities. Please email firstname.lastname@example.org to report an issue.
If you would like to be eligible for a bounty, please read this carefully.
- NEVER attempt to gain access to another user’s account or data.
- NEVER attempt to degrade the services.
- NEVER impact other users with your testing.
- Test only on in-scope domains, listed below.
- Do not use fuzzers, scanners, or other automated tools to find vulnerabilities.
Doing any of the above will render you ineligible for cash bounties.
Only the following services are in-scope:
The following types of reports/attacks are out of scope. Do not attempt them:
- DOS attacks
- Brute forcing login/account management pages
- Physical vulnerabilities
- Social engineering attacks (e.g. phishing)
The following types of bugs do not qualify for bounties:
- CSRF on forms that are available to anonymous users (e.g., signup, login, contact, Intercom)
- Self-XSS and issues exploitable only through Self-XSS
- Clickjacking and issues only exploitable through clickjacking
- Functional, UI and UX bugs and spelling mistakes
- Descriptive error messages (e.g. stack traces, application or server errors)
- HTTP 404 codes/pages or other HTTP error codes/pages
- Banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Presence of application or web browser “autocomplete” or “save password” permission
- Email auth (SPF records, etc)
- User enumeration on login
- Frans Rosen
- Adam Enger
- Mohammed Shameem Shahnawaz
- Josha Bronson, Bronsec Inc.
- Jubaer Al Nazi, ServerGhosts, Bangladesh
- Ali Hassan Ghori
- Nessim Jerbi
If you choose to email us, encrypting your email is not required. Should you deem it necessary, our public key for