Responsible Disclosure Program
If you believe you have found a security vulnerability with Binder or any Binder service we would like you to let us know right away.
We will investigate all legitimate reports and respond to any problem. Before reporting we would ask that you read our responsible disclosure policy.
Public disclosure of a security vulnerability may expose the entire Binder community to risk, so we ask that you keep any potential vulnerabilities confidential until we are able to address them.
We will not take legal action against you or suspend or terminate your access to any Binder service, if you report a security vulnerability in accordance with this Responsible Disclosure Program.
Binder reserves all of its legal rights in the event of any noncompliance.
Discovering Security Vulnerabilities
We encourage responsible security research on the Binder Services. We allow you to conduct vulnerability research and testing on the Binder Services to which you have authorised access.
We ask that:
- You give us reasonable time to investigate and mitigate any issue you report before making public any information about the report or share any such information with others.
- You only interact with accounts or data for which you hold the appropriate authorisation or consent
- You do not send, or attempt to send, unsolicited or unauthorised messages including emails
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
- You do not undertake any activity in relation to any security issue that violates any law or regulation.
- You do not attempt to exploit a security issue you may discover. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not post, transmit, upload, link to, send or store malware, viruses or similar harmful that could impact any Binder services.
- You do not attempt to interrupt or degrade the Binder Services.
Reporting Security Vulnerabilities
If you believe you have discovered a security vulnerability issue, please share the details with Binder by sending an email to firstname.lastname@example.org.
In reporting a potential security vulnerability issue you should include:
- An adequate description and information regarding the security vulnerability that will allow Binder to reproduce your steps to replicate the issue,
- Your email address
- Your name and Twitter handle as you would like it to appear in our Binder Security Hero list (if selected).
Binder will acknowledge receipt of your report within 24 hours, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and, with your permission, publicly acknowledge your responsible disclosure.
Email communication between you and Binder, including without limitation, emails you send to Binder reporting a potential security vulnerability, should not contain any of your proprietary information.
The contents of all email communication you send to Binder shall be considered non-proprietary. Binder, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting.
Binder and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to Binder for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products.
By submitting any information, you are granting Binder a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.
We reserve the right to publish reports (and accompanying updates).
Issues not to Report
The following are issues that we ask for you not to report, unless you believe there is an actual vulnerability:
- Disclosure of known public files or directories (e.g. robots.txt)
- Domain Name System Security Extensions (DNSSEC) configuration suggestions
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS security header configuration suggestions
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Logout Cross-Site Request Forgery (logout CSRF)
- Phishing or Social Engineering Techniques
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- Sender Policy Framework (SPF) configuration suggestions
- CSRF on forms that are available to anonymous users
Researchers that responsibly disclose in accordance with this Responsible Disclosure Program are eligible for inclusion in our Binder Security Hero list.
Whether or not a security vulnerability report is in compliance with this Responsible Disclosure Program and a Researcher is eligible for inclusion in our Binder Security Hero list is in our sole discretion.
Binder does not compensate researchers for identifying potential or confirmed security vulnerabilities. Any requests for monetary compensation or any other type of consideration will be deemed in violation of this Responsible Disclosure Program.
We reserve the right to cancel this recognition program at any time without notice.