Responsible Disclosure Policy
Last updated: May 2022
StoryTap takes the security of our customer’s data very seriously. If you believe you’ve discovered a potential security vulnerability within one of our services or products, we encourage you to disclose it to us as quickly as possible and in a responsible manner.
We appreciate the assistance and patience of security researchers and are committed to reviewing all reports that are disclosed to us. We will do our best to address each issue in a timely fashion, and request that you provide us with a reasonable timeframe to address the issue before public disclosure.
Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.
If you have questions, please contact us by sending an email to firstname.lastname@example.org.
Discovering Potential Security Vulnerabilities
We allow responsible security research on our products and services only on our services and products to which you have authorized access.
The following types of research are strictly prohibited:
- Accessing or attempting to access accounts or data that does not belong to you
- Any attempt to modify or destroy any data
- Executing or attempting to execute a denial of service (DoS) attack
- Sending or attempting to send unsolicited or unauthorized email, spam or any other form of unsolicited messages
- Conducting social engineering (including phishing) of StoryTap employees and customers, contractors or any other party
- Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party
- Testing third party websites, applications or services that integrate with our services or products
- The use of automated vulnerability scanners
- Exfiltrating any data under any circumstances
- Any activity that violates any law
The following finding types are excluded from this Responsible Disclosure Program:
- Reports from automated vulnerability scanners.
- Descriptive error messages such as stack traces, application or server errors.
- HTTP 404 codes or pages, or other HTTP non-200 codes or pages.
- Fingerprinting or banner disclosure on common and public services.
- Disclosure of known public files or directories, such as robots.txt.
- Clickjacking and other issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users, such as contact, login and logout forms.
- CSRF with minimal security implications.
- Content spoofing or text injection.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure or HTTPOnly flags on non-sensitive cookies.
- Login or Forgot Password page brute force and account lockout not enforced.
- Enabled HTTP methods (such as OPTIONS, TRACE, DELETE, PUT, WEBDAV, etc.) without a valid attack scenario.
- Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc.
- Host header or CSV injection without a valid attack scenario.
- DNS cache poisoning.
- Missing best practices in SSL/TLS configuration without a working proof of concept.
- Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc.).
- Issues related to mobile applications that require the host device to be either rooted or jailbroken.
- Issues related to brute forcing, rate limiting and other denial of service type attacks.
- Weak password policy implementation.
- Use of known-vulnerable libraries or frameworks (e.g. outdated programming languages) without a valid attack scenario.
- Issues that rely on outdated or unpatched browsers and platforms to be abused.
How to Report a Potential Security Vulnerability
You can responsibly disclose potential security vulnerabilities to the StoryTap Security Team by emailing email@example.com. Ensure that you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps.
When reporting a potential security vulnerability, please include as much information as possible, including:
- An explanation of the potential security vulnerability;
- A list of products and services that may be affected (where possible);
- Steps to reproduce the vulnerability;
- Proof-of-concept code (where applicable);
- The names of any test accounts you have created (where applicable); and
- Your contact information.
Submissions that promise to only release information for reward will be ignored.
What Happens Next?
Once you have reported a potential security vulnerability we will review. As many submissions are from automated scanners, If this is a duplicate or already known issue you may not receive a response. We will attempt to respond to real and new issues within 4 business days.
Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it. Once the investigation has been completed we may, subject to the researchers’ consent, publicly recognise the researchers involved on this page below. If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.
We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the potential security vulnerability.
Please note that we may or may not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.