Responsible Disclosure Policy
Leadspace cares about information security. We are committed to maintaining the confidentiality, integrity and availability of Leadspace systems and information to ensure the trust and confidence of our customers.
Therefore, the security of our online platforms and applications is of great importance to us. We ask that you disclose information on security issues in a responsible way and in accordance with this Responsible Disclosure Process. We will validate and fix vulnerabilities in accordance with our vulnerability management program.
As long as you use this process in disclosing information on security issues to Leadspace, we will not take legal actions against you or revoke access to our online platforms and applications. Leadspace reserves all legal rights in the event of any noncompliance.
Leadspace does not compensate individuals or organizations for identifying potential or confirmed vulnerabilities. Requests for monetary compensation will be deemed in violation of this Responsible Disclosure Policy.
- Adherence to Leadspace’s Disclosure Policy
- Provide necessary assistance to Leadspace to replicate the issue and mitigate relevant security issues.
- Intensive automated scans must not negatively impact ’any or all of Leadspace service availability.
- Automated vulnerability scanning tools or scanned reports are prohibited.
- In the case of duplicate reports, the first report would be considered a valid submission.
- Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
- Do not attempt to view, modify, or damage data belonging to others.
- Do not disclose the reported vulnerability to others until Leadspace had a reasonable time to address it.
- Do not attempt to gain access to another user’s account or data.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Scope for the Leadspace’s Responsible Disclosure Program
Out of scope
Issues not to Report
The following is a list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:
- CSRF on forms that are available to anonymous users
- Disclosure of known public files or directories (e.g. robots.txt)
- Domain Name System Security Extensions (DNSSEC) configuration suggestions
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS security header configuration suggestions
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Logout Cross-Site Request Forgery (logout CSRF)
- Phishing or Social Engineering Techniques
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Sender Policy Framework (SPF) configuration suggestions