Responsible Disclosure Policy
Last Updated November 2020
RESPONSIBLE DISCLOSURE/VULNERABILITY DISCLOSURE POLICY
Plannuh appreciates and encourages security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us. In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy. Please continue to check here for updates.
SPECIAL MESSAGE TO SECURITY RESEARCHER/VULNERABILITY REPORTER COMMUNITY
Thank you, in advance, for notifying us regarding potential gaps in our security. We appreciate those of you who partner with us to rectify vulnerabilities to ensure the least amount of impact and risk to our stakeholder communities. Therefore, you will see, included in our policy, our request to you for your assistance in the troubleshooting/remediation of those gaps and our request that you share your proposed resolution.
We will not pursue legal action, nor initiate a complaint to law enforcement, against the finder/researcher operating in good faith. Plannuh reserves all legal rights in the event of noncompliance with the Guidelines for Operating in Good Faith that follow.
Please note, Plannuh does not currently offer a bug bounty program. We extend no offer of compensation/reward or public recognition for submission of potential vulnerabilities.
GUIDELINES FOR OPERATING IN GOOD FAITH
To promote the discovery and reporting of vulnerabilities, we ask that you:
- Be respectful of our existing applications; act to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
- Do not access or modify our data or our stakeholder’s data;
- Contact us immediately if you do encounter stakeholder data. Do not view, alter, destroy, save, share, store, transfer, or otherwise access or compromise the data, and please purge any local information upon reporting the vulnerability to us;
- If personal information (e.g., names, addresses, email addresses, loyalty account numbers, unique identifiers, credit card numbers) is encountered, please stop all activity and immediately contact Plannuh firstname.lastname@example.org;
- Do not generate fraudulent financial transactions;
- Do not participate in any activity that violates a) federal, state or international laws or regulations, or b) the laws or regulations of any country where i) assets, data, or systems reside, ii) data traffic is routed, iii) the researcher is conducting research activity, or iv) where data subjects reside;
- Share the security and/or privacy issue with us
HOW TO SUBMIT A VULNERABILITY?
To disclose a potential vulnerability, please email us at email@example.com
When reporting a potential vulnerability, please include a detailed description of the vulnerability: tools utilized, target, processes, and results. Please support your findings by attaching any pertinent artifacts used for discovery. Though not required for review and validation/verification of the vulnerability, if you have information regarding the remediation of the vulnerability, please share your proposed resolution.
ACKNOWLEDGEMENT AND RESPONSE
When a report is received by Plannuh’s security team, an acknowledgement will be sent to the sender within five business days. A follow-on request for further information may be sent as needed. After validation/verification of a vulnerability, a follow-up reply will be sent to the sender.
Plannuh will not negotiate in response to a threat (e.g., we will not negotiate under threat of withholding, or threat of releasing the vulnerability to the public). We will dedicate our resources to work with you and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public.
EXTERNAL VULNERABILITY REPORTING
Reporting of vulnerability information to other third parties/vendors will be determined at the discretion of Plannuh.
OUT OF SCOPE
The following are out of scope for submission under the Responsible Disclosure Policy.
Out-of-scope vulnerabilities include:
- Social Engineering, Such as Attempts to Steal Cookies, Fake LogIn Pages to Collect Credentials, and Phishing
- Resource Exhaustion Attacks
- Physical Testing
- Denial of Service Attacks