Vulnerability Disclosure Policy
We take security incidents very seriously. If you’ve found an exploit or any potential security breach please let us know. Send an email to firstname.lastname@example.org with as much information as possible. Someone from our team will be in touch as soon as possible.
Selzy Bug Bounty Program
We welcome security researchers that practice responsible disclosure and comply with our policies. The Selzy bug bounty program gives a tip of the hat to these researchers and rewards them for their efforts. To be eligible for a reward under our bug bounty program, you must comply with the terms outlined below.
- Do not access (or attempt to access) any user’s account or non-public data.
- Do not affect or harm other users (or their access to or use of our services).
- Do not perform any attack that could harm the reliability or integrity of our services or data. For example, DDoS/spam attacks are strictly prohibited.
- Do not publicly disclose a vulnerability before we have resolved it.
- Do not perform (or attempt) non-technical attacks, including spam, social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
What kinds of reports do not qualify?
The following is a non-exhaustive list of reports that do not qualify for a reward under our bug bounty program:
- Issues related to software or protocols not under our control, such as domains or applications that resemble Selzy, or use one of our APIs, but are not managed by Selzy.
- Disclosure of public information or information that in our opinion does not present a significant risk.
- Disclosure of client identifiers and keys intended as a convenience for open-source contributors.
- Disclosure of credentials by other parties unaffiliated with Selzy.
- Bugs, such as XSS, that only affect legacy browser/plugin versions, bugs that require exceedingly unlikely user activity or interaction, or timing attacks that prove, for example, the existence of a user.
- Cookies shared between different *.Selzy.com domains.
- Bugs that have already been reported to us (i.e. first-come, first-served), or bugs that we are otherwise already aware of.
- Scripting or other automation and brute-forcing of intended functionality (all of which is strictly prohibited).
Note that even though we are happy to receive information about not following best-practices, such issues are not vulnerabilities, unless they affect confidentiality, integrity and/or availability. Similarly, such issues will not result in monetary rewards.
We may issue monetary rewards for reported issues that we decide to fix, with higher rewards for distinctly creative or severe security issues. Issues that we determine to be an insignificant or accepted risk will not be eligible for a reward. The reward amount will be based on the severity of the issue and range from $25 to $500.
Please note that only reports submitted to email@example.com will be eligible for a reward under our bug bounty program.
Checking the Status of Reports or Rewards
We are a small and very busy Development Team, and we receive a lot of emails. Please do not send us multiple or repetitious emails asking the same questions about submitted reports or the status of potential bounty payments. This will not accelerate the process and may result in a slower response due to the extra burden on our inbox. We appreciate your patience.
Also, please be aware that repeat submission of issues on the unqualified list may result in you not receiving a response.
A Few Legal Terms
Our bug bounty program is not a contest or competition. It is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice. All decisions as to the amount and type of rewards that may be issued, the method of payment (for monetary rewards), and whether or not any reported issue constitutes a significant risk or is eligible for a reward, will be determined at Selzy’s complete discretion in each case. We typically issue monetary rewards by Paypal and require your full name and appropriate contact information. You are responsible for any tax implications of any reward you receive and must comply with all tax laws applicable to any rewards that we may issue you. We cannot issue rewards to individuals who are on sanctions lists, or who are located in countries (e.g. Russia, Cuba, Iran, North Korea, Sudan, or Syria) that are on sanctions lists. You must comply with all applicable local, state, national, and international laws, rules, and regulations in connection with your participation in this program. Your participation in this program must not disrupt or compromise any data that does not belong to you.