Shieldwall Home logo


Responsible Disclosure Policy

Effective July 25, 2024

Overview

Shieldwall cares deeply about maintaining the trust and confidence that our customers place in us. The security of our online platforms is of paramount importance. If you are a security researcher and have discovered a security vulnerability in one of our services or sites, we encourage you to disclose it to us in a responsible manner. Shieldwall will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.

We will validate and fix vulnerabilities in accordance with our commitment to security and privacy. We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Shieldwall reserves all legal rights in the event of any non-compliance.

Scope

This policy applies to any vulnerabilities discovered within our web application. Out-of-scope vulnerabilities will be determined on a case-by-case basis.

Reporting

We encourage security researchers to share the details of any suspected vulnerabilities with the Shieldwall Information Security Team by submitting the contact form. Shieldwall will review the submission to determine if the finding is valid and has not been previously reported. At Shieldwall's discretion, you may be eligible for monetary compensation for your efforts. We require security researchers to include detailed information with steps for us to reproduce the vulnerability.

Encryption: We encourage the use of PGP encryption when sending sensitive information. Our public PGP key is available.

Anonymity: We understand the importance of researcher anonymity. If you'd like to remain anonymous, please indicate so in your report.

Our Commitment

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Shieldwall commits to:

  • We will work with you to understand and validate the issue
  • We will acknowledge your report within 7 working days.
  • Once we've assessed the issue, we will provide feedback about its severity and potential fix.
  • We are committed to resolving significant vulnerabilities within 90 days of report acknowledgment.
  • We promise not to initiate legal action against researchers who comply with this policy and act in good faith.
  • At the discretion of the reporter, we will recognize their efforts in our Hall of Fame, unless the reporter wishes to remain anonymous.
  • Addressing the risk (if deemed appropriate by Shieldwall)

Guidelines for Researchers

  • Do No Harm: Test only with your own accounts where applicable. Do not harm our users or data during your research.
  • No Data Exfiltration: Do not exfiltrate, modify, or delete data that doesn't belong to you.
  • Avoid Disruption: Do not perform tests that could disrupt our services or infrastructure. This includes, but is not limited to, DDoS attacks.
  • No Public Disclosure: Please refrain from disclosing vulnerabilities to the public before we've had a chance to address them.
  • Confidential information: Do not share confidential information obtained from Shieldwall with any third party
  • Social engineering is out of scope. Do not send phishing emails to, or use other social engineering techniques against, anyone, including our staff, members, customers, or partners.

Noncompliance

Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Shieldwall will deem the submission as noncompliant with this Responsible Disclosure Policy.

  • We reserve the right to pursue legal action against individuals or entities who conduct non-compliant security research activities.
  • We may exclude the individual or entity from any recognition or compensation (if applicable) related to the disclosure.
  • We may publicly communicate the non-compliance, detailing the actions taken by the non-compliant party.

In addition, to remain compliant you are prohibited from:

  • Accessing, downloading, or modifying data residing in an account that does not belong to you
  • Executing or attempting to execute any “Denial of Service” attack
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software
  • Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
  • Testing in a manner that would degrade the operation of any Shieldwall systems
  • Testing third-party applications, websites, or services that integrate with or link to Shieldwall systems

By responsibly reporting a vulnerability to us, you acknowledge and agree to this policy. We reserve the right to modify this policy at any time without notice.

Please contact us, if you have a security issue you wish to report to the Shieldwall security team.

Updates & Changes

This policy may be updated from time to time. We recommend researchers periodically check for the latest version before engaging in vulnerability research.