Schedule it Ltd - Vulnerability Disclosure Policy
NO BOUNTY PAYMENTS - FREE SUBMISSIONS ONLY
You MUST get our written permission before performing testing of any kind.
Whilst we work hard to keep our services secure, we know that nothing can be 100% secure. We take notifications about security issues seriously, and will respond swiftly to fix verifiable security issues. We encourage you to report security issues by emailing bugreport@ our main domain, so that we can fix them, and keep our users safe.
Payments
There are currently no bounty payments. Unfortunately it is not currently possible for us to offer a paid bug bounty program. We would, however, like to offer a token of our appreciation to security researchers who take the time and effort to investigate and report genuine security vulnerabilities to us according to this policy.
What is the scope of this policy?
Our responsible disclosure policy applies to Schedule it Ltd's products, services and systems. That means that vulnerabilities found in vendor systems fall outside of the scope of this policy scope, and should be reported directly to the vendor. If you are not sure, contact us and we will be happy to help you.
Who does this policy apply to?
This policy applies to anyone who submits a potential vulnerability report (besides employees or affiliates of Schedule it Ltd).
Who may be eligible for a bounty?
We may pay, but do not guarantee, a bounty for certain types of vulnerability reports. You may be eligible for a bounty where: 1) the security issue is unique in scope; 2) you are the first to report the issue; 3) the security issue has not been disclosed publicly or to any third party; and 4) payment to you is not prohibited by any law and/or regulation that applies to Schedule it Ltd. Again, the payment of a bounty is entirely at our discretion.
Which domains are in scope?
The domain scheduleit.com and any subdomain, with the exception of subdomains for our third party vendors.
What issues are eligible?
Please don't perform research that could impact our products, services or other users. Prohibited activities include, but are not limited to:
Degrading the performance of Schedule it Ltd's products, services, or the experience of our users in any way
Conducting activities that risk disruption of our service
Using automated tools to find vulnerabilities. They are noisy and might result in denial of service
Engaging in activities that may result in the unauthorized access, modification, or loss of data belonging to either us or our users
Performing social engineering (including phishing) or denial of service attacks on Schedule it Ltd's products or services
Using or accessing information or accounts that do not belong to you
Violating any applicable laws
Examples of issues that we would like to know about include typical security vulnerabilities, such as:
Authentication or Authorization flaws
Cross-site Scripting
Cross-site request forgery
File inclusion
Open redirect
Server-side code execution
Injection Flaws
Significant Security Misconfigurations
What issues are not eligible?
Issues already known to us and previously reported issues
Attacks that require social engineering (phishing, spam, etc.)
Self-XSS
Missing HTTP Headers, except where their absence fails to mitigate an existing attack
Volume-based denial of service
Lack of rate limits
Attacks requiring physical access to the victim device
Attacks requiring access to the local network of the victim
Assumed vulnerability based upon version disclosure only
Missing cookie flags on non-sensitive cookies
Reports of insecure SSL/TLS ciphers (unless a PoC is present and not just a report from a tool/scanner)
Flaws affecting out-of-date browsers and plugins
Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
What information should I include?
Please report security issues using this form in the following format and emailing to bugreport@ our main domain:
Name:
Bug type:
Domain or Product:
URL:
PoC, screenshots, video, etc.:
Please only include one potential vulnerability per report, and do not send automated scanner results without proof of exploitability. We request that you keep reports short and clear; we will contact you if we need more information.
Other guidelines
We reserve the right to pay you a bounty, in an amount to be paid at our discretion, conditioned upon your compliance with this policy. Submission of a report does not guarantee payment.
Potential vulnerabilities may not be disclosed publicly until Schedule it Ltd has reviewed and remediated any issue.
Your participation does not create any kind of employment or partnership between you and Schedule it Ltd, and you must comply with all laws in connection with your participation in this program.
Any information you receive from Schedule it Ltd through your participation must be kept confidential.
All rights not otherwise granted within this policy are expressly reserved by Schedule it Ltd, including intellectual property rights.
Schedule it Ltd reserves the right to discontinue the responsible disclosure program without prior notice at any time.
Any other questions or concerns related to security? Please contact us and we will try to help!