Last updated: February 12, 2021
We truly appreciate when an ethical hacker, a security researcher or any person who desires to help us secure our platform reports a security vulnerability to us. We take security seriously, and we respond to every single report we receive in less than 72 hours.
The goal of this document is to define how to interact with our security team. Please read it thoroughly and if you believe you found a security vulnerability in our application or infrastructure, send us an email at firstname.lastname@example.org.
Please send us your report to email@example.com.
Your report should contain all the necessary information to reproduce it and how one could use the vulnerability maliciously. Do not hesitate to send us screenshots or videos of the exploit; they are often helpful. When possible, please send also a benign (non-destructive) proof of exploitation.
We will acknowledge your report rapidly and might ask for more context when necessary. We will then keep you informed of the development of the fix. When fixed, we’ll ask you to confirm that the vulnerability has been patched.
We truly value your help, and the time you spend in finding this vulnerability. We believe in your good intentions and would appreciate if you do not:
We request you delete securely all data retrieved during research as soon as it is no longer required, and at most, one month after the vulnerability is resolved, whichever occurs soonest.
It is challenging to come with a perfect definition of what is considered as a security vulnerability. However, we can clear some things out and tell you what we believe is not in our current scope.
We do not consider as a vulnerability any issue outside of our domains backhq.com and back.ee.
We also do not consider as vulnerabilities the following types of issues:
We do not currently run a bug bounty at Back. However, if you report a vulnerability which has a significant impact on our application or infrastructure, we’ll reward you according to its severity.
If you wish to provide feedback or suggestions on this policy, please contact our security team at firstname.lastname@example.org. This policy evolves, and we value your input to ensure that it is clear, complete, and remains relevant.