Responsible Vulnerability Disclosure Policy


RESPONSIBLE VULNERABILITY DISCLOSURE POLICY

This policy is addressed to security researchers interested in reporting security vulnerabilities to The Mail Track Company S.L. (Mailtrack), and must be read in the context of the Mailtrack Terms of Use and Purchase.

If you believe you've discovered a security vulnerability on a Mailtrack property or application, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it is fixed. We appreciate your assistance, and we review all reports and will do our best to address the issue in a timely fashion. To encourage responsible disclosure, Mailtrack will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that a disclosure meets the following guidelines.

Responsible Disclosure Guidelines

  • Notify Mailtrack and provide us details of the vulnerability. Please provide us a reasonable time period to address the issue before public disclosure.
  • Provide an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other information.
  • We will confirm your email and evaluate the validity and reproducibility of the issue. For valid issues, we will work to fix the issue and keep you appraised of progress.
  • Make a reasonable effort to avoid service disruption (e.g. DoS), privacy issues (i.e. accessing a Mailtrack user’s data), and data destruction when performing vulnerability research.
  • Do not request compensation for security vulnerability reports either from Mailtrack or external vulnerability marketplaces.
  • Do not phish or social engineer employees, partners, or users of Mailtrack.
  • Do not run automated scanning tools and send us the output without confirming the issue is present. Security tools often output false positives that should be confirmed by the reporter.

Vulnerability Categories We Encourage

We are primarily interested in hearing about the following vulnerability categories:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection Attacks
  • Remote Code Execution
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope Vulnerability Categories

The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit on our researcher list:

  • SSL vulnerabilities related to configuration or version
  • Denial of Service (DoS)
  • User enumeration
  • Brute forcing
  • Secure flag not set on non-sensitive cookies
  • HTTPOnly flag not set on non-sensitive cookies
  • Logout Cross Site Request Forgery (CSRF)
  • Issues only present in old browsers/old plugins
  • HTTP TRACE method enabled
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Vulnerability reports that require a large amount of user cooperation to perform unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

How to Report a Security Vulnerability

Please email security-report@mailtrack.io to report security vulnerabilities to Mailtrack. If you feel the email should be encrypted, our PGP key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFdqq4YBCADIsTtcwoiR198qdjvzbp8H8Ont6smw0iEywZi/0Cs5/6sqxkT9
XyOBZ/DeymGT0kAPjPWy7OxqgVpWVtHvMK1ljOyX3Wd0ksgfEysnVBkiPuvdYUUp
daP4jjg4T+UVjMSZMjOrJGWdux9df0kAJQCjkPerBt//eSCb0/4a4+XwZF7egfh3
c2S3Cfs+eWgHU2KrpVcCFUjXtbS526bdTljOMH4TCR4jyIILPwveWzYYoQEuTCd4
BaGkpRemFHEWG7Si7dDfwrr67ZOCUkYeHfuKpP8DIL08Mf35XH+bWgWe/k1R6rqY
dTPQI+HXch32UmisEPhidBHu548FCbKfMf5jABEBAAG0Nk1haWxUcmFjayBTZWN1
cml0eSBUZWFtIDxzZWN1cml0eS1yZXBvcnRAbWFpbHRyYWNrLmlvPokBOAQTAQIA
IgUCV2qrhgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQjYfnIj9UaJ2Y
zggAjGtQLzlMuogqunMBLBQapKNhiFkE5UKIJwJy8C71qvrP0/BeoYe5LPYYJX+T
JqGH2GRiSEKlg2N/RKF/gUAYYk1/OpNVcLjdGDJkg8/V3OgAMIz+mr31f31eW0yH
bYVVc/Ofq5EUiiSomz0f7NtpekWPNpUt0KBDYArkqFUdwQTwpzvjEcm3rmnPRgg3
7WEO7KrIblMWSd0i7dr9332p+ZSPkbC1EfzefBY7yOurbWZPJP1+L3ax9z6DjM/M
HnxQyCm9gf0FDfQo9OAC7zsiYvZSJgiScI2rIa7hEOry/OhptxfRrFOnOV+Riw4+
dPnD23V785ff6zKzkMQE0u2lv7kBDQRXaquGAQgA2ny3iofqG3gc7Kki95C/yAQC
lKtTyrn3XnRI7Dl5knLetXdQK1lkOLtI1ObDLQm438Z3OuJ0azYy3YvncDOz3jrV
m05EjhYBftxlRdIHATJ0v5hPRyB/uBxaR4FGFm2/aFjMLhX28Ck37YQc1ieRvq8A
7tXoaOdGCgak5Z5KHtksB5gtJyWgKZQ0ifqmImn52iovgzgMaN25IeFiZk7ASTXu
AP1EkWf52VizaQX92/ehT53vMREZqAR+DuqFLKL21YvZ3gzUZ3+wAQRwaIq5KrRM
fKT9EkYO0+iIhcEcyNAJBn4oB0uK46jWadNj2v9ymKGmXALKbA5lR9Uwi2ipQwAR
AQABiQEfBBgBAgAJBQJXaquGAhsMAAoJEI2H5yI/VGidqZAIAKOapLU7HUoKmE/t
eufN7OfgObmSXaSFuX7Q1jalUvjxiJnx5wYoMBe1+7wLnLrku83XmaWQHw60o/uI
q5AINPlt2csAfbgR0JA1skGKA5GCtGCey9gNSPUbhecrAKlaQr/ggKEmTYjDojSx
aJWFM7Io0nARHHeg0wyv83b27zV0Iu+mT1hJJJ4YhMZsgBpAc3bBXl8gi+U376Uv
mu/khq7fbj0pw/M2rRE1VTD6DfNMB7qQMmjuf1BSS+P59XPvjIxEcJMm+Nvq90Vy
mWCzDwPm2sxR4orrHAP29rLWYFZGidOQzlst42lf0ClcOmuYqYaKZHJ1JgYJjxt7
XUVTVqk=
=IRpM
-----END PGP PUBLIC KEY BLOCK-----

Participating Security Researchers

2015
Fida Hussain
2016
Suhas Gaikwad