Vulnerability Disclosure Policy
If you believe you have found a security vulnerability in our platform/or website, please submit your report to us.
This Vulnerability Disclosure Policy (Policy) applies to any vulnerabilities you are considering reporting to us, (Metrikus).
Please review this Policy fully before you report a vulnerability, and we request that you comply fully with it before filing such submissions.
We value those who take the time and effort to report security vulnerabilities in accordance with this policy. Please we note, we may offer monetary rewards for vulnerability disclosures at our sole discretion.
If you believe you have discovered a security vulnerability that affects our software or services, please submit your report to us at firstname.lastname@example.org
We request all reports to include the following details for our review and assessment to assist us in ensuring that the report can be triaged quickly and accurately to reduce the likelihood of duplicate reports, and/ or malicious exploitation of such vulnerabilities:
- the website, IP or page where the vulnerability can be observed
- a brief description of the type of vulnerability
- steps to reproduce; which should be a benign, non-destructive, proof of concept.
Vulnerabilities that will not be considered include but are not limited to; non-exploitable, theoretical issues that do not affect Confidentiality, Integrity or Availability or the system, such as:
- Lucky13 Cloudflare TLS ciphers that are mitigated by modern browsers.
- Certificate Authority Authorization records.
- Re-dressing and Clickjacking attacks based on X-Frame-Options.
- Browser issues such as Content-Security-Policy or Permissions-Policy.
- Non-exploitable vulnerabilities detected by automatic scanners.
- Denial of Service attacks.
- Issues found on our marketing website at https://www.metrikus.io
- Attacks against our vendors.
Following receipt of your report, we will endeavour to respond within 14 working days and aim to triage your report within 1 month; and may aim to keep you up to date of our progress.
Our priority for remediation shall be assessed by looking at the impact, severity and exploit complexity.
Public disclosures may be approved at Metrikus’ sole discretion, should you wish to request to disclose your report, requests for approval shall be submitted to email@example.com for approval.
You must NOT:
- break any applicable law or regulations
- access unnecessary, excessive or significant amounts of data
- modify data in the Metrikus ’s systems or services
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
- disrupt the Metrikus ’s services or systems
- submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”
- communicate any vulnerabilities or associated details other than by means described in this Policy
- engineer, ‘phish’ or physically attack the Metrikus ’s staff or infrastructure
- demand financial compensation in order to disclose any vulnerabilities
- share, redistribute or fail to properly secure data retrieved from the systems or services.
- comply with data protection rules
- not violate the privacy of the Metrikus ’s users, staff, contractors, services or systems.
- securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
This policy is intended to be compatible with common vulnerability disclosure good practice, and does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Metrikus or partner organisations to be in breach of any legal obligations.
Published: May 2023
Policy Owner: Chief Product and Technology Officer, Product and Engineering Department
ISMS Classification - Public. Uncontrolled once printed