Responsible Disclosure

Main Content Starts Here

Responsible Disclosure Program


is committed to its Win Right Values. Part of living our Win Right Values is a commitment to the security of our products, technology, customers, and employees. takes security seriously and investigates all reported vulnerabilities. Accordingly, has adopted this Responsible Disclosure Program (the “PDz”) to encourage public disclosure of newly identified cybersecurity vulnerabilities in its products and services.

Scope of the Program

This Program covers all products and services excluding any third-party provided network components, like cloud service providers. The Program includes, for example:

  • All websites
  • All current connected products (excluding the cloud connection and cloud storage)
  • All mobile applications

See “Out of Scope” List below for products, services, and vulnerabilities excluded from the Program.

Eligibility to Participate

To participate in this Program, you must:

  • Have read and agree to this Program;
  • Be at least 18 years of age; and
  • Participate in the Program in your individual capacity or with the permission of the organization that employs you.

To participate in this Program, you must not be:

  • On a sanctions list or in a country on a sanctions list maintained by the U.S. Department of Treasury Office of Foreign Assets Control or any other applicable government entity;
  • Prohibited or limited from participating in the Program by any applicable law;
  • Employment with or any one of its affiliates, currently or in the past year; or
  • Serving as a contributing author of the code that is the subject of your Report.

If you violate any provision of these representations, you will be automatically disqualified from this Program.

Public Disclosure Requirements

To comply with the Program, members of the public disclosing potential vulnerabilities must do so in accordance with the following guidelines:

  • Notify as soon as possible after you discover a real or potential security vulnerability.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use information owned by you and not by a third party in your Report.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems. 
  • Do not compromise public safety.
  • Do not violate any applicable local, state, national, or international law, including intellectual property.
  • Do not use accounts that are not your own.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • The following activities are expressly prohibited by the terms of this Program:
    • Denial of Service (DoS) attacks against , its products, or any of its third-party providers;
    • Social engineering or phishing to solicit login passwords or credentials from employees, contractors, or third-parties;
    • Physical attacks against employees, offices, or data centers;
    • Knowing distribution of any malware; and
    • Using unsolicited bulk messaging to pursue any vulnerabilities.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop and notify immediately, and not disclose this data to anyone else.

Report Submission and Review

  • To participate you must submit a potential vulnerability report to (the “Report”) via email at
  • Upon successful submission of your Report, you will receive a confirmation of receipt from us.
  • Please allow us a reasonable period of time to investigate and validate your Report. We will keep you reasonably informed about the status of any vulnerability you reported.
  • is not responsible for any Reports that it does not receive. Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities.

What to Include in Your Report

A detailed, well-written Report will help us to assess the situation more quickly. To facilitate our review, please include a detailed description of the potential vulnerability such that we are able to reproduce and correct any issues and include the targets, tools, process, artifacts, etc. used in discovery.  Submissions of screenshots are welcome.


We are committed to responding to all Reports in a timely manner. To qualify under this Program, you must not disclose any of the contents of a Report or the fact that you submitted a Report to anyone outside of . After communicates to you that it has completed its review of the Report, you may request the ability to disclose the contents of your Report to third parties.  In reviewing all such requests, in its sole discretion, will make all determinations.

Out of Scope

The following products, services, and vulnerabilities are outside the scope of this Program:

  • and services no longer produced, maintained, or sold by , including outdated or unpatched applications, services, software, firmware;
  • Third-party websites or services, including third party software incorporated in applications;
  • Bugs that simply cause an app to crash;
  • Attacks against infrastructure;
  • Attacks requiring physical access to a user's mobile device;
  • Network Provisioning errors;
  • Violation of licenses or other restrictions applicable to any vendor's product;
  • Security bugs in third-party applications (e.g. java, plugins) or websites;
  • Host header injections (unless you can show how they could lead to a data loss);
  • Self-XSS (User defined payload);
  • Login/logout CSRF;
  • Use of a known-vulnerable library (without evidence of exploitability);
  • Vulnerabilities affecting users of outdated browsers or platforms;
  • Vulnerabilities which require a jailbroken or rooted mobile device;
  • Previously reported vulnerabilities unless some additional information is reported in the subsequent Report;
  • Recent acquisitions for the first six (6) months after acquisition to give time to internally review and mitigate any issues; and
  • Vulnerabilities that present negligible security impact or are exploited to conduct a malicious attack against . Common examples may include, but are not limited to, the following:
    • Vulnerabilities were discovered by conducting an attack against employees, clients and/or partners, or referring to social engineering techniques (e.g. shoulder surfing, stealing devices, phishing, fraud, stolen credentials);
    • Vulnerabilities which require a rooted or jailbroken movable device;
    • Vulnerabilities within ’s lab, staging environments or sandbox;
    • System vulnerabilities irrelevant to security issues.


  • , in its sole discretion, may modify or discontinue the Program at any time.
  • , in its sole discretion, may disqualify any security researcher from this Program at any time.
  • may pursue legal action against any criminal or unlawful activity at any time.
  • This Program does not make you an employee or a contractor of , and you are responsible for any taxes or additional restrictions based on your national and local laws.

If you make a good faith effort to comply with this Program during your security research, will consider your research to be authorized will work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, will make this authorization known.

Contact Information

If you have any inquiries regarding the Program, please contact us at

Thank you for your interest in making and its products more secure.

Back to top of page