Responsible Disclosure Policy

At Phished we take the security and privacy of our users and customers seriously. We believe that collaboration with the security research community is crucial in identifying and addressing potential vulnerabilities in our systems and applications. We encourage responsible disclosure of any security issues discovered and appreciate the assistance of security researchers in maintaining a secure environment for everyone. This Responsible Disclosure Policy outlines the guidelines for reporting security vulnerabilities to Phished.

If you have discovered a potential security vulnerability on a asset that belongs to Phished, we kindly ask that you adhere to the following guidelines:

  • Responsible Disclosure: Make every effort to avoid any actions that could negatively impact our systems, users, or customers. Only conduct testing within the boundaries of your own account, and do not access, modify, or view data that does not belong to you.
  • Report Privately: Please submit your findings to our security team as soon as possible via our designated [email protected] email address or via our private bug bounty program on Intigriti. We recommend using encryption when communicating sensitive information.
  • Provide Detailed Information: When reporting a security vulnerability, please include all relevant details to help us understand and reproduce the issue. This may include steps to replicate the problem, proof-of-concept code, and any other supporting materials.
  • Confidentiality: We respect the privacy and security of security researchers. We will not share any personal information without explicit permission unless required by law. We also request that you do not disclose any details about the vulnerability until it has been resolved and we have given you permission to do so.
  • Response Time: Our security team will make every effort to acknowledge receipt of your report promptly and will work diligently to investigate and address the issue. We aim to provide regular updates on the progress of resolving the vulnerability and will work with you to verify and validate the fix.
  • Public Disclosure: We appreciate researchers' patience while we investigate and resolve any reported vulnerabilities. We request that you refrain from disclosing the vulnerability to the public.
  • Legal Conduct: We encourage responsible and ethical behavior in accordance with the law. If you discover a vulnerability, please refrain from taking advantage of the vulnerability for any reason, including unauthorized access, data exfiltration, or disruption of service. Engaging in such activities is strictly prohibited and may result in legal action.
  • Recognition: We recognize and appreciate the valuable contribution of security researchers who assist us in improving our security posture. Based on the severity and impact of the reported vulnerability, we may consider public recognition in our hall of fame or a reward (only via Intigriti) to express our gratitude. However, we reserve the right to determine the eligibility for and nature of any recognition or reward.

By submitting a security vulnerability report to Phished you agree to abide by the guidelines outlined in this Responsible Disclosure Policy.

Template to use when submitting a vulnerability:

  • What is the proof of concept? Document with screenshots or screen recording or note every step as detailed as possible.
  • In what way can the described vulnerability be exploited by malicious parties, what are the requirements, be very specific not generic.
  • What is the impact?
  • With which account did you test?
  • What is the exact endpoint you test against?
  • What is your concrete proposal to address this vulnerability?

Out of scope vulnerabilities include the following:

  • Clickjacking on pages with no sensitive actions or no authenticated actions
  • Software version disclosure/Banner identification issues
  • Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records etc.)
  • Missing best practices in SSL/TLS configuration
  • Open redirect – unless an additional security impact can be demonstrated
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Anything related to HTTP security headers, e.g.: Strict-Transport-Security / X-Frame-Options / X-XSS-Protection / X-Content-Type-Options / Content-Security-Policy.
  • Reporting older versions of any software without proof of concept or working exploit.

We value your commitment to keeping our systems and users safe. Thank you for your cooperation in helping us maintain a secure environment for everyone.

Phished BV - [email protected]

Version: 1.2