Responsible Disclosure Policy
Leadspace cares about information security. We are committed to maintaining the confidentiality, integrity and availability of Leadspace systems and information to ensure the trust and confidence of our customers.
Therefore, the security of our online platforms and applications is of great importance to us. We ask that you disclose information on security issues in a responsible way and in accordance with this Responsible Disclosure Process. We will validate and fix vulnerabilities in accordance with our vulnerability management program.
As long as you use this process in disclosing information on security issues to Leadspace, we will not take legal actions against you or revoke access to our online platforms and applications. Leadspace reserves all legal rights in the event of any noncompliance.
No Compensation
Leadspace does not compensate individuals or organizations for identifying potential or confirmed vulnerabilities. Requests for monetary compensation will be deemed in violation of this Responsible Disclosure Policy.
Guidelines
Adherence to Leadspace’s Disclosure Policy
Provide necessary assistance to Leadspace to replicate the issue and mitigate relevant security issues.
Intensive automated scans must not negatively impact ’any or all of Leadspace service availability.
Automated vulnerability scanning tools or scanned reports are prohibited.
In the case of duplicate reports, the first report would be considered a valid submission.
Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
Do not attempt to view, modify, or damage data belonging to others.
Do not disclose the reported vulnerability to others until Leadspace had a reasonable time to address it.
Do not attempt to gain access to another user’s account or data.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Scope for the Leadspace’s Responsible Disclosure Program
*.leadspace.com
Out of scope
leadspace.com
www.leadspace.com
Issues not to Report
The following is a list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:
CSRF on forms that are available to anonymous users
Disclosure of known public files or directories (e.g. robots.txt)
Domain Name System Security Extensions (DNSSEC) configuration suggestions
Banner disclosure on common/public services
HTTP/HTTPS/SSL/TLS security header configuration suggestions
Lack of Secure/HTTPOnly flags on non-sensitive cookies
Logout Cross-Site Request Forgery (logout CSRF)
Phishing or Social Engineering Techniques
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Sender Policy Framework (SPF) configuration suggestions
