Responsible Disclosure Policy

GigsCheck is committed to ensuring the security of its customers by protecting their information from unwanted disclosure. This Responsible Disclosure Policy ("Policy") is intended to provide independent researchers with defined guidelines for identifying potential vulnerabilities and establishes which GigsCheck systems are in scope.

If you believe you have discovered a security or privacy vulnerability in a GigsCheck product or service, please report it to us by following the process set forth in this Policy.

If you have questions or concerns about GigsCheck's Privacy Policy or data privacy, you can ask us about privacy.

How to report a security or privacy vulnerability

If you believe you have discovered a security or privacy vulnerability that affects GigsCheck products, services, code, or systems, please report it to us. We welcome reports from everyone, including security researchers, developers, and customers.

To report a security or privacy vulnerability, please send an email to security@gigscheck.com that includes:

  • The specific product, service, code, or system(s) which you believe are affected.
  • A description of the behavior you observed as well as the behavior that you expected.
  • A numbered list of steps required to reproduce the issue. If the steps may be hard to follow, a video demonstration would be helpful.

You'll receive a reply from GigsCheck to acknowledge that we received your report, and we'll contact you if we need more information.

How GigsCheck handles these reports

For the protection of our customers, GigsCheck doesn't disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.

GigsCheck may credit researchers who have reported security issues with our products and services. In rare cases, GigsCheck may pay rewards for sharing critical security issues.

Guidelines

GigsCheck will not recommend or pursue legal action against anyone for security research activities that GigsCheck concludes represents a good faith effort to follow this Policy. GigsCheck deems such activity to be authorized.

Security researchers may utilize these guidelines below to help clarify the actions they may take and may not take in researching for vulnerabilities. Under this Policy, "security research" means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, data or privacy breaches, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or pivot to other systems.
  • Provide us with the time necessary to resolve the issue before you disclose it publicly. GigsCheck will acknowledge receipt within five business days. GigsCheck will resolve the issue within a reasonable amount of time, which will depend on the complexity of the issue.
  • Do not submit a high volume of low-quality reports.

Once you've established that a vulnerability exists or encounter any sensitive data (e.g., Personally Identifiable Information (PII), financial information, proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. A failure to adhere to this disclosure rule may result in Legal action. Security researchers shall not:

  • Engage in any activity that violates federal or state laws or regulations, or applicable international law.
  • Engage in physical testing of facilities or resources (e.g., office access, open doors, tailgating)
  • Engage in social engineering (e.g., "vishing")
  • Send unsolicited electronic mail to GigsCheck users (e.g., "phishing" messages)
  • Execute or attempt to execute "Denial of Service" or "Resource Exhaustion" attacks, or other tests that impair access to or damage a system or data
  • Introduce malicious software
  • Use a GigsCheck system to launch redirect or amplification attacks against other systems
  • Test in a manner which could degrade the operation of GigsCheck systems; or intentionally impair, disrupt, or disable GigsCheck systems
  • Test third-party applications, websites, or services that integrate with, or link to or from, GigsCheck systems
  • Delete, alter, share, retain, or destroy GigsCheck data (to include sensitive data and nonpublic information), or render any GigsCheck data exposed by the vulnerability inaccessible
  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on GigsCheck systems, or "pivot" to other GigsCheck systems
  • Disclose any type of sensitive information (technical, financial, operational, regulatory, etc.) or any PII exposed or made accessible by the vulnerability to a third party

Out-of-Scope Product, Services, Code, and Systems

Web:

  • Enumerating and/or Brute Forcing Login and/or Registration.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Issues that are a result of pivoting - the only proof of initial foothold is necessary.
  • Spam (including issues related to SPF/DKIM/DMARC).
  • Fingerprinting/banner disclosure on common/public services.
  • Presence of application or web browser 'autocomplete' or 'save password' functionality.
  • Reports About Weak Password Policy.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Lack of Captcha/reCaptcha.
  • Lack of 2-factor authentication.
  • HTTPS Mixed Content Scripts.
  • SSL/TLS scan reports (this means output from sites such as SSL Labs).
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • XMLRPC related brute-force/enumeration/DDoS Attacks

If you are not sure whether a product, service, code, system, or other feature is in scope or if you would like to get authorization to work on an out-of-scope item, contact us at security@gigscheck.com to obtain authorization before you begin your research.

While GigsCheck does not intend to take action against persons making good faith efforts to report potential vulnerabilities lawfully and in compliance with this Policy, we are not able to make such a representation on behalf of any third party. To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any party other than GigsCheck, including the personal data of GigsCheck's customers and employees, such entity or person may independently determine whether to pursue legal action or remedies related to such activities.