This web page describes ReadyTech's policy for receiving reports related to potential security vulnerabilities in its products and services and the company's standard practice with regards to informing customers of verified vulnerabilities.
This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to ReadyTech (the "Organisation").
We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.
Reporting
If you believe you have found a security vulnerability, please submit your report to us using the following email: security@readytech.io
In your report please include details of:
- Time and date of discovery
- Product name and version
- URL, browser information including type and version and input required to reproduce the vulnerability;
- Technical Description — provide what actions were being performed and the result in as much detail as possible;
- Sample Code — if possible, provide code that was used in testing to create the vulnerability;
- Your Contact Information - best method to reach you
- Software Configuration — details to computer/device configuration at time of vulnerability;
Please do not include any personally identifiable information in your reports, except what is necessary to contact you.
If you report a vulnerability under this policy, we ask that you keep it confidential. Once your vulnerability has been resolved, we welcome requests to disclose your report. We'd like to unify guidance to affected users, so please do continue to coordinate public release with us.
What to expect
After your incident report is received, the appropriate personnel will contact you to follow-up within 5 business days. ReadyTech will engage in open dialog to discuss issues and notify you at each stage of the investigation.
Guidance - You must NOT:
Break any applicable law or regulations.
Access unnecessary, excessive or significant amounts of data.
Modify data in the Organisation's systems or services.
Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
Share, redistribute or fail to properly secure data retrieved from the systems or services.
Disrupt the Organisation's services or systems.
Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
Communicate any vulnerabilities or associated details other than by means described in this document.
Social engineer, ‘phish’ or physically attack the Organisation's staff or infrastructure.
Demand financial compensation in order to disclose any vulnerabilities.
You MUST:
Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Always comply with data protection rules and must not violate the privacy of the Organisation’s users, staff, contractors, services or systems.
Participating in this program does not give you any right to intellectual property owned by ReadyTech or a third party.
Contact us at security@readytech.io if you are not sure about the impact of your security research before commencing it.
What is security@readytech.io not intended for
The security@readytech.io email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will not be processed.
Responsible Disclosure Contributors
ReadyTech thanks the following individuals and organisations that have identified security vulnerabilities in accordance with this policy:
2022:
Mahad Ali – LinkedIn profile here.
2017:
Koen Rouwhorst