Vulnerability Disclosure Program

At SecureW2, all teams take security seriously. The moment a vulnerability is identified, we drop everything and work as a team. But as hard as we try, there will always be things that fly past our radars under our radar. We are only human!

That’s why we encourage anyone and everyone to participate in our Vulnerability Disclosure Program.  We believe in a collaborative atmosphere among both researchers and developers, which is why we’ve created our Vulnerability Disclosure Program (VDP).  If you identify a possible vulnerability that’s within scope, please report it to us and we will review internally and award an Amazon gift card to qualified submissions.

 

Code of Conduct

• Report vulnerabilities immediately after discovery
• Stay within the code of conduct, and respect the requests of our security team
• Respect our privacy. Never publicize any personally identifiable data of customers or SecureW2 employees
• Do not violate any laws or regulations to conduct vulnerability research
• Do not Store, save, or generally abuse any sensitive data exposed by your research
• Avoid disrupting our services in the course of your investigation

Scope

What’s In Scope?

• *.securew2.com
  • Except for the following URLs: marketing.securew2.com, resources.securew2.com, status.securew2.com

 

What’s Out of Scope?

Activities that are out of scope, and ineligible for a reward are:

• Denial of Service (DoS) – Either through network traffic, resources exhaustion or others
• CSRF issues on actions with no impact
• Incomplete or missing SPF/DMARC/DKIM records
• Vulnerabilities affecting outdated or unpatched browsers/operating systems
• Vulnerabilities found using well known and readily available security tools such as:
  • https://securityheaders.com/
  • https://www.ssllabs.com/ssltest/
• Bugs already are known to us, or previously reported by someone else (reward goes to the first reporter)
• Issues that aren’t reproducible
• HSTS not enabled
• Brute force attacks
• Social Engineering attacks
• Resources hosted on third parties, for example:
  • https://resources.securew2.com/acton/
  • https://marketing.securew2.com/acton/

 

Rewards and Rating

For bugs that have been discovered appropriately using our code of conduct, the following awards are available:

Priority	Reward
P1	$300 Amazon Giftcard
P2	$200 Amazon Giftcard
P3	$100 Amazon Giftcard

We use the Bugcrowd Vulnerability Rating Taxonomy to determine the priority rating.

 

Reporting your Vulnerability Findings

Please submit findings to vulnerabilities@securew2.com using this PGP key.