Security Vulnerability Disclosure Policy

Last updated: February 12, 2021

We truly appreciate when an ethical hacker, a security researcher or any person who desires to help us secure our platform reports a security vulnerability to us. We take security seriously, and we respond to every single report we receive in less than 72 hours.

The goal of this document is to define how to interact with our security team. Please read it thoroughly and if you believe you found a security vulnerability in our application or infrastructure, send us an email at security@backhq.com.

How to report a vulnerability

Please send us your report to security@backhq.com.

Your report should contain all the necessary information to reproduce it and how one could use the vulnerability maliciously. Do not hesitate to send us screenshots or videos of the exploit; they are often helpful. When possible, please send also a benign (non-destructive) proof of exploitation. 

We will acknowledge your report rapidly and might ask for more context when necessary. We will then keep you informed of the development of the fix. When fixed, we’ll ask you to confirm that the vulnerability has been patched.

What we kindly ask you not to do

We truly value your help, and the time you spend in finding this vulnerability. We believe in your good intentions and would appreciate if you do not:

  • Use this vulnerability to access unnecessary amounts of data. A few records are enough to demonstrate most of the vulnerabilities.
  • Share or redistribute data retrieved from our systems or services. If you store some records while submitting the report, please make sure to secure them appropriately.
  • Communicate vulnerabilities or associated details via methods not described in the policy or anyone outside of Back’s security team.
  • Modify data in our systems or services, which is not your own.
  • Disrupt our services and or systems.
  • Disclose any vulnerabilities in Back systems or services to third parties or the public before we confirmed that somebody has patched the vulnerability.

We request you delete securely all data retrieved during research as soon as it is no longer required, and at most, one month after the vulnerability is resolved, whichever occurs soonest.

What vulnerability to report

It is challenging to come with a perfect definition of what is considered as a security vulnerability. However, we can clear some things out and tell you what we believe is not in our current scope.

We do not consider as a vulnerability any issue outside of our domains backhq.com and back.ee.

We also do not consider as vulnerabilities the following types of issues:

  • Reports of non-exploitable vulnerabilities
  • Volumetric vulnerabilities (overwhelming our service with a high volume of requests - DDOS attacks, etc.)
  • TLS configuration weaknesses (support of weak cypher-suite, etc.)
  • Reports indicating that our services do not fully align with "best practice" e.g. missing security headers (CSP, x-frame-options, etc.) or sub-optimal email-related configuration (SPF, DMARC, etc.).

Rewards and bug bounty

We do not currently run a bug bounty at Back. However, if you report a vulnerability which has a significant impact on our application or infrastructure, we’ll reward you according to its severity.

Feedback

If you wish to provide feedback or suggestions on this policy, please contact our security team at security@backhq.com. This policy evolves, and we value your input to ensure that it is clear, complete, and remains relevant.