Responsible Disclosure Policy

At FunnelStory, we take the security of our customers' information seriously, and we believe in collaborating with security researchers and members of the wider community to maintain a safe and secure platform for everyone.

If you have discovered a security vulnerability in our system, we encourage you to report it to us as soon as possible so that we can take appropriate steps to fix it. Our policy for responsible disclosure is outlined below.

What is Responsible Disclosure?

Responsible disclosure is a method of reporting security vulnerabilities that involves communicating the details of the vulnerability to the organization that is responsible for the system in question. The idea is to allow the organization to take action to fix the issue before it can be exploited by malicious actors. This approach is designed to balance the need for security with the interests of the security researcher who has discovered the vulnerability.

Legal Compliance

  • We will not take legal action against individuals who make a good faith effort to follow this policy.
  • We will cooperate with law enforcement agencies to the extent required by law.
  • We reserve the right to take legal action against individuals who exploit a security vulnerability for personal gain or engage in other malicious activities.

Scope of Policy

  • This policy applies to any individual who discovers a security vulnerability in our platform and reports it to us in accordance with the procedures outlined below.
  • This policy does not authorize individuals to conduct vulnerability testing or penetration testing without explicit written permission from FunnelStory.

Exclusions

  • Attempting to gain access to the accounts or personal information of other FunnelStory customers is strictly prohibited.
  • Disrupting the normal functioning of our platform or services is strictly prohibited.
  • Engaging in any activity that is illegal or unethical is strictly prohibited.
  • We reserve the right to take legal action against individuals who engage in any of these prohibited activities.

Non-Discrimination

  • If you are an employee or contractor of FunnelStory and have discovered a vulnerability in the course of your work, please report it to your supervisor or the appropriate department immediately.
  • Failure to report a vulnerability in a timely manner may result in disciplinary action.
  • We welcome security researchers from all backgrounds and do not discriminate on the basis of age, race, gender, sexual orientation, or any other protected category.

How to Report a Security Vulnerability

If you have discovered a security vulnerability in our system, please send an email to [email protected]. In your email, please include the following information:

  • A detailed description of the vulnerability
  • Steps to reproduce the vulnerability
  • The potential impact of the vulnerability
  • Any additional information that may be useful in addressing the issue

We take all reports of security vulnerabilities seriously, and we will do our best to respond to your report in a timely manner. Please note that we may need to follow up with you for additional information, so please provide a valid email address in your report.

Our Response to Security Vulnerabilities

  • Once we have received a report of a security vulnerability, we will take the following steps:
    1. We will confirm the validity of the vulnerability and determine the scope of the issue.
    2. We will forward the report to our security team for review.
    3. Based on the severity of the vulnerability, we will consider whether it deserves a reward as part of our Bug Bounty Program.
    4. We will develop a plan to address the vulnerability, which may involve patching the issue or taking other steps to mitigate the risk.
    5. We will implement the plan as soon as possible.
    6. We will communicate with the person who reported the vulnerability to let them know that we have addressed the issue.
  • Please note that rewards for security vulnerabilities are at the discretion of FunnelStory and will be determined based on the severity of the issue

Our Promise to Security Researchers

At FunnelStory, we believe in treating security researchers with respect and appreciation. We promise to do the following:

  • We will respond to all reports of security vulnerabilities in a timely manner.
  • We will keep you informed about the status of your report.
  • We will not take legal action against you if you comply with our Responsible Disclosure Policy.