web analytics

Responsible Disclosure

Reporting weaknesses in our IT systems

We work hard every day to maintain and improve our systems and processes so that our customers can use our products and services safely online at all times. However, should you find a weakness in one of our IT systems, we would appreciate your help.

Reporting

What you can report

You can report any number of weaknesses in our IT systems. If you spot a weakness, please contact us as soon as possible. Examples are:

  • AWS credential exposure or account access vulnerabilities
  •  Lambda function related or execution vulnerabilities due to any code-level issues under the control of SLAppForge

What you should not report

We use Amazon CloudFront as our CDN, and hence use AWS recommended settings for maximum browser compatibility. Hence please do NOT report that weak encryption algorithms are enabled when viewing our web pages over SSL.

How to report a weakness

You can report weaknesses to us by email to responsible.disclosure@slappforge.com. State concisely in your email what weakness(es) you have found. We will take appropriate action based on the severity. Our security experts will investigate your report and will reply back to you if we require more information.

Reporting an issue by any other means (e.g to other email addresses designated for business use such as but not limited to info@slappforge.com etc) will not be considered, as our administration staff who reads such email will mark them as spam and/or block your email address from reaching us again.

Please note that due to a recent increase in reports of issues of a very minor nature, we are compelled to ignore reports we do not consider to be serious. To avoid a waste of both your time and ours, we request that you first email us a profile of yours (including references to any previous issues found) and any vulnerabilities that you wish to test. Only proceed with any investigations if you receive a confirmation reply from us to proceed. To request for permission to proceed, please email your profile to vulnerability.testing.request@slappforge.com

Rules

Observe the rules

If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offense to the authorities.

It is important for you to know, however, that the public prosecutor’s office, not SLAppForge will decide whether or not you will be prosecuted, regardless of whether we report your offense to the authorities. We cannot promise that you will not be prosecuted if you commit a punishable offense when investigating a weakness.

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.

  • Do not use weaknesses you discover for purposes other than your own investigation.
  • Do not use social engineering to gain access to a system.
  • Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
  • Do not alter the system in any way.
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

Frequently-asked questions

You might receive a reward – but we are not required to give you one. You are not necessarily entitled to compensation, especially if your investigation is unable to alter our internal systems or databases. The amount of the reward, if any, is not fixed in advance. SLAppForge Inc. determines the amount, based on the following:

  • The caution taken in your investigation
  • The quality of your report
  • The amount of potential damages prevented as a result of your report

You will NOT receive a reward or reply, if you have not followed the instructions listed above. Especially if you do not use the proper email addresses to request for permission, and to disclose any vulnerabilities.

No. Under no circumstances should any weaknesses in our IT systems or your investigation be published without our prior written permission. Please note that as a policy we do not generally allow any such publication, even after an issue is resolved.

The email address responsible.disclosure@slappforge.com is not intended for the following:

  • To submit complaints about SLAppForge Inc's products or services
  • To submit questions or complaints about the availability of the website
  • To report viruses

Yes, you can. You do not have to give us your name and contact details when you report a weakness.