Security disclosure policy
Confused.com is committed to providing the most secure service possible and takes security seriously. We will do our best to mitigate any reported vulnerabilities in a timely manner and we agree not to take any legal action against you as long as you follow the guidelines in this Policy.
Guidelines for disclosure
- Act in good faith.
- When investigating a vulnerability, you should only ever target your own accounts and data. Never attempt to access anyone else’s data and do not attempt to perform any testing against any of our partners.
- You must not perform any testing that could potentially cause disruption to, or incur additional costs for, Confused.com or any of our partners. Examples of this are DDoS attempts, attempts to crash or make systems unresponsive, and fuzzing attacks.
- Never attempt to view or change any sensitive data held by Confused.com except for that of your own account(s).
- Never attempt to delete any data held by Confused.com, including that of your own account.
- You must not exploit the vulnerability to attempt to gain further access to our systems or data.
- Never attempt to perform social engineering on our staff or gain physical access to any of our sites or systems.
- You must not break the law.
- You must keep any information about potential and identified vulnerabilities confidential between yourself and Confused.com.
- If you are unsure whether an action would be in breach of these guidelines, please contact us at email@example.com.
How to contact Confused.com
- Please report any vulnerabilities you discover to firstname.lastname@example.org as soon as you can.
- Please provide a clear and concise description of the vulnerability.
What will Confused.com do?
- Our security team will respond to you within two working days to confirm your submission of a vulnerability.
- We will carry out a full investigation on the reported vulnerability. This may involve further communication with you to understand fully the open problem or issue.
- We will provide you with an update as soon as we are reasonably able to do so and confirmation when the vulnerability is remediated.