Playvox is committed to protecting the security of its customers’ data. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our systems, according to the guidelines described below.
If you comply with this policy during your security research (as described below), we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly.
Please note, we may modify this policy at any time.
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit for any other purpose including, without limitation, to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to investigate and resolve the issue before you disclose it to any third party.
- Do not include any sensitive data when disclosing the vulnerability to third parties.
- Respond to any follow-up requests from our team for updates and further information regarding your report.
- Do not submit a high volume of low-quality reports.
- Comply with all applicable laws.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose any information regarding the text to any third party until we have confirmed in writing (including email) that we have had a reasonable amount of time to resolve the reported issue.
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Test in a manner that would corrupt the operation of Playvox’s services.
- Post, transmit, upload, link to, send, or store any malicious software.
- Test what would result in sending unsolicited or unauthorized junk mail, spam, or other forms of unsolicited messages.
- Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.
- Test third-party applications, websites or services that integrate with or link to Playvox’s services.
This policy applies to the Playvox’s services systems and services, excluding static websites and non-production environments.
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at email@example.com before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this policy. If there is a particular system not in scope that you think merits testing, please contact us at firstname.lastname@example.org before starting your research.
Out of scope
The static websites are out of the scope as they are not part of the Playvox’s services for purposes of this policy. Static websites are, but not limited to:
Certain vulnerabilities are considered out-of-scope for this policy. Those out-of-scope vulnerabilities include, but are not limited to:
- Social Engineering attacks
- Denial-of-service attacks
- Account enumeration using brute-force attacks
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Missing HttpOnly or Secure flags on cookies
- Clickjacking on static websites
- Reports from automated tools or scans
- Vulnerabilities affecting users of outdated browsers
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL issues, best practices, or insecure ciphers
- Self-exploitation attacks
- Test versions of applications
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS/DDoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application, or server errors).
- Open redirect – unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
Reporting a vulnerability
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities.
If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Playvox, consider sharing to the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process.
We accept vulnerability reports via email@example.com, if the report contains sensitive information, you can request a PGP key at this mailbox. Reports may be submitted anonymously. If you share contact information, we will promptly acknowledge receipt of your report.
What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.
We may retain any communications about vulnerabilities you report for as long as we deem necessary to invest and resolve the vulnerability.
We reserve the right to publish reports (and accompanying updates).
We do not provide a “bounty” or any monetary award for reports submitted or vulnerabilities uncovered; however, if you share your contact information with us we may publish your name on a list of researchers who have submitted security reports (“wall of fame”).We will not publish your name if you notify us that you do not want to be included on such list.
Questions regarding this policy may be sent to firstname.lastname@example.org. We also invite you to contact us with suggestions for improving this policy.