|Main Product Category||General|
|Sub Category||Security Policies|
To that end, TripleBlind welcomes responsible disclosure of vulnerabilities by researchers. We do reward researchers on a case by case basis. To contact TripleBlind, please reach out to us at firstname.lastname@example.org.
TripleBlind will not take legal action against individuals who report vulnerabilities in accordance with the policy as outlined below.
We require that all researchers:
- Contact us before beginning scanning, probing, or research work. Failure to contact us first will inhibit our ability to work with you to resolve the vulnerability.
- Do not access customer or employee personal information.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Do not disrupt production systems, or destroy data during security testing.
- Collect only the information necessary to demonstrate the vulnerability.
- Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using email (do not use third party file sharing sites).
- When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
- Securely delete TripleBlind information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
- 3rd party applications and services in use by TripleBlind
- TripleBlind's corporate networks
- Social engineering
- Denial of service
- Brute forcing
- Weak passwords
- Lack of headers
- SSL vulnerabilities
- Reports from automated scanning tools
- Destruction of data
- Changing passwords and account information for accounts that do not belong to you
- Abusing vulnerabilities to steal from TripleBlind
- Theft of data
- Publishing of private or company information
In order to ensure compliance with this policy, individuals should stop testing after discovering a vulnerability and not attempt to escalate the attack further. Feel free to include suspected lateral or escalation paths in your report. Additionally, in order to avoid stealing or damaging other’s data, researchers should focus testing on accounts and information that they have created and control.
TripleBlind reserves the right to modify, suspend, or remove this policy at any time without notice. TripleBlind will have no liability with regards to the actions of any researcher. Researchers are responsible for following all applicable laws.