Vulnerability Disclosure Policy
Security Researchers should…
- Respect the rules. Operate within the rules set forth by the this policy, or speak up if in strong disagreement with the rules.
- Respect privacy. Make a good faith effort not to access or destroy another user’s data.
- Be patient. Make a good faith effort to clarify and support their reports upon request.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
- Notify us as soon as you discover a potential security vulnerability.
- Do not share details of the suspected vulnerability publicly or with any third party.
- Only use or access accounts and information that belong to you.
- Do not destroy or modify data that is not yours.
- Do not degrade the performance of GEVME products and services or our users.
- Do not perform social engineering, physical, or denial of service attacks on GEVME personnel, locations, or assets.
- Do not try to repeatedly access the system and do not share the access obtained with others.
This program applies to GEVME products, services, and systems. Always be careful to verify whose assets you are testing while performing research. Assets in scope for this program are:
Out of Scope Vulnerabilities:
- Findings from applications or systems not listed in the ‘In Scope’ section.
- Attacks requiring MITM or physical access to a user’s device.
- Clickjacking on pages with no sensitive actions.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Anything not permitted by applicable law
How to Report a Vulnerability
If you have detected a vulnerability, then please send your reports with POCs and steps to reproduce on email@example.com
What we would like to see from you
To help us triage and remediate potential findings, a good vulnerability report should:
- Describe the vulnerability, precisely where it was discovered, and the real-world impact.
- Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
- Please include one vulnerability per report (unless in an attack chain).
- Don’t report automated scanner results without proof of exploitability.
NOTE: Vulnerabilities reported without any POC (Proof of Concept) and Steps to Reproduce will not be considered for this reward program.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 7 business day, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about the remediation process, including on issues or challenges that may delay resolution.
- When you follow the guidelines that are laid out above, we will not pursue or support any legal action related to your research.
- If you are the first to report a “qualifying vulnerability” in accordance with this Policy, we would like to recognize your contribution on our Security Researcher Hall of Fame and/or with a reward.