Vulnerability Disclosure Policy

Last updated 3rd July 2023

At Superbly, we take the security of our systems seriously, and we value the security community. We value feedback from security researchers and the general public to improve our security.

If you believe that you have discovered a vulnerability, privacy issue, any exposed data, or any other security issue in any of our digital assets owned operated or maintained by us, we want to hear from you. 

This policy outlines steps for reporting any such issue to us, what we expect, and what you can expect from us. Guidelines for security researchers   We require that you:

  • make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • use the identified communication channels to report any vulnerability information to us; and
  • keep all information about any vulnerabilities that you discover confidential between your-self and us until we have had 90 days to resolve the reported vulnerability.

By following these guidelines when reporting an issue to us, we commit to work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).

We do not provide compensation for reporting such vulnerability information.

Out of Scope

In the interest of the safety of our users, staff, the Internet at large and you, as a security researcher, the following test types are excluded from scope:

  • findings from physical testing such as office access (eg open doors, tailgating);
  • findings derived primarily from social engineering (eg phishing, vishing, Clickjacking);
  • UI and UX bugs and spelling mistakes;
  • network level ‘Denial of Service’ (DoS/DDoS) vulnerabilities; and
  • weak or insecure SSL/TLS ciphers and certificates.

We not want to receive any personally identifiable information (PII).

If you encounter any user data during testing, such as PII, Personal Healthcare Information (PHI), credit card data, or proprietary information:

  • limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept;
  • cease testing; and 
  • Immediately submit your report.

You should only interact with test accounts you own or with explicit permission from the account holder.

Do not engage in extortion.
How to report a security vulnerability?
If you believe that you have identified a security vulnerability in one of our products or platforms, please send a detailed email to <[email protected]>. Please include the following details with your report:

  • a description of the location and potential impact of the vulnerability; and
  • a detailed description of the steps required to reproduce the vulnerability (proof of concept scripts, screenshots, and compressed screen captures are all helpful).

The more details you provide, the easier it will be for us to triage and fix the issue.

We request that you do not disclose your work that relates to Superbly until we have finished addressing the vulnerability, and that you provide us with a reasonable amount of time (at least 90 days from the initial report) to resolve the vulnerability before you disclose it publicly.