Second Street values the work done by security researchers which improves the security of our products. We are committed to working with the community to verify, reproduce, and respond to legitimate vulnerabilities that are reported to us. We encourage the community to participate in our responsible disclosure policy.
If you would like to report a security vulnerability, please send an email to: firstname.lastname@example.org. Please provide your name, contact information, and (if applicable) company name with each report. You may find it helpful to use the report template at the bottom of this policy.
Which domains are in scope?
The domain secondstreetapp.com and any subdomain except for domains that match the pattern *-qa-*.secondstreetapp.com
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- Do not violate the privacy of any person or entity.
- Do not modify, access, or destroy data that does not belong to you.
- Do not interrupt or degrade our services, or the services of any of our customers.
- Give us a reasonable time to correct the issue before making any information public.
We will investigate legitimate reports and we will make every effort to correct vulnerabilities in a timely manner. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with this policy, including good faith, accidental violations.
Frequently Asked Questions
Can I get a sandbox to test with?
When you submit a vulnerability report in accordance with this policy, you can request a sandbox account to test with. At our discretion, we may decide to provide this. If we do, we’ll let you know how to safely use the sandbox for security research and testing.
How should reports be formatted?
Company (optional): ______
Twitter (optional): @______
Bug type: ______
Severity (low, medium, high): ______
Proof of Concept: ______