It takes a village.
At SecureDB, we strive to offer the best data security solutions to our customers. However, we realize that InfoSec is an ever evolving space and newer vulnerabilities are discovered almost daily. We believe in the strength of community.
If you believe that you have discovered a possible security vulnerability in any of our services (APIs, Dashboard, website, documentation etc.), please help us fix it as soon as possible. Publicly disclosing the vulnerability before our team has had an opportunity can put out customers and their users at risk.
- If you think you have discovered a vulnerability in SecureDB service, please let us know by emailing us at security AT securedb.co. Please include information on how to reproduce the issue. Screenshots are always helpful.
- We will acknowledge your email in 1 (one) business day. This is not an automated email but an email sent by someone from tech staff.
- After that, a developer from our team will reach back to you in 5 (five) business days.
- Please keep the information confidential until we have rolled out a patch.
White hat researchers are welcome to research on our platform. However, the following are strictly forbidden:
- Any attempt to modify or destroy data
- Any attempt to degrade or interrupt our services
- Any attempts at Denial Of Service
- Any attempts to access a customer’s or customer’s user’s data
- Any research that violates the applicable laws of the land
We request you to follow the following guidelines:
- Please do not create accounts using anonymous email accounts such as yopmail. It is difficult to communicate with you that way. Use your real email. We’re all friends here
- Please do not create more and more accounts. Keep it to one. If a specific vulnerability you are researching requires creation of many accounts, please reach out to us. We’ll gladly be able to help you.
- It always helps if you let us know your IP address so that we don’t block you. Also, we would hugely appreciate if you could introduce yourself when you create a free account to do research.
- Keep your research centered around APIs and Dashboard rather than on the website.
- Please do not go after ‘Request a Demo’ page or ‘Contact Us’ Page.
Researchers that responsibly disclose previously unknown vulnerabilities may be eligible for reward and/or being made part of Hall of Fame. SecureDB API, Dashboard or platform vulnerabilities in the following areas are eligible:
- Vulnerabilities around Authentication and Authorization.
- Vulnerabilities around Privilege Escalation and Permission Circumventing
- XSS, CSRF
- SQL Injection
- Side channels against our crypto code
- Any server side code execution
The following do not qualify:
- Social Engineering based attacks.
- CSRF on logout
- Lack of ‘Secure’ flag or ‘http-only’ flag in cookies
Qualification of the issue and eligibility for rewards/hall of fame are done at the discretion SecureDB Inc. Please note that duplicate reports are not eligible for reward/recognition.
Hall of fame