Responsible disclosure policy

We take security seriously and appreciate the community’s help in improving the protection of our systems.

Our commitment

The security of our systems and the protection of our customers’ data are top priorities. We encourage security researchers to responsibly report any vulnerabilities they may discover.

Scope

This policy covers our website, applications, online services and publicly accessible APIs.

What we ask of you

If you discover a vulnerability, please:

• Contact us immediately using the details provided in our security.txt file
• Do not disclose the vulnerability publicly before we have had time to fix it
• Do not exploit the vulnerability beyond what is necessary to demonstrate it
• Do not access, modify or delete other users’ data
• Do not disrupt our services or infrastructure

Our commitment to you

• We will acknowledge receipt of your report within 3 working days
• We will keep you informed of the progress of the fix
• We will not take any legal action against researchers acting in good faith and in line with this policy
• We will credit you (if you wish) when communicating about the fix

Out-of-scope vulnerabilities

The following are not covered by this policy:

• Denial-of-service attacks (DoS/DDoS)
• Social engineering or phishing targeting our employees
• Physical attacks against our premises or equipment
• Vulnerabilities in third-party services we use

Contact

Details for reporting a vulnerability are available in our security.txt file.

Please provide as much detail as possible: a description of the vulnerability, steps to reproduce it, potential impact and suggested fixes.