Responsible Disclosure Policy
At InStaff, we work vigilantly to protect our customers information and assets within our applications and systems.
Keeping InStaff customer and user information safe and secure is a top priority and we recognize the important role that security researchers play in achieving this. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified within an application or system belonging to us.
If you discover a vulnerability relating to our applications and systems please notify us using the guidelines below.
To encourage responsible disclosure, we commit that if we conclude that a disclosure respects and meets all the guidelines outlined below we will not bring a private action or refer a matter for public inquiry.
Guidelines for responsible disclosure
Share the discovered vulnerability with us before making it public to peers, on message boards, mailing lists, and other
forums.
Allow us reasonable time to respond to the issue before disclosing it publicly.
Provide full details of the security issue and describe how you found it so we may reproduce the issue.
Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise
access the data, and immediately purge any local information upon reporting the vulnerability to us.
Understand that we use services that are not under our control. Reporting vulnerabilities in 3rd party services (e.g.
Azure Websites, Mixpanel, HubSpot, etc.) will be forwarded to the corresponding partner companies. We will not be
triaging such cases.
Do not engage in potential or actual denial of service of InStaff applications and systems.
Do not engage in use of an exploit to view data without authorization, or corruption of data.
Do not request for direct compensation for the reporting of security issues either to InStaff, or through any external
marketplace for vulnerabilities, whether black-market or otherwise.
Report security vulnerabilities to
security@instaff.org
Please include an email address where we can reach you in case we need more information.
We take security seriously and will respond quickly to fix verifiable security issues. When properly notified of legitimate issues, we will do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible.
Reward
InStaff does NOT currently offer compensation through a "bug bounty" program for vulnerabilities that are disclosed.
We will, based on our discretion, give our thanks and acknowledgement for new and interesting reports in our thanks section of this page.
Please note however that providing a report does not guarantee a credit.
Focus Areas
Please keep testing of vulnerabilities within the following domains ONLY:
staging.instaff.org
security-staging.instaff.org
Any websites or applications not listed above, are OUT OF SCOPE
Out of scope
The following are out of scope for submission under the this policy. Out of scope vulnerabilities include:
Social Engineering, such as attempts to steal cookies, fake login pages to collect credentials, and phishing
 Denial of service attacks
 Password, email and account policies, such as email id verification, reset link expiration, password complexity.
 CSRF on forms that are available to anonymous users (e.g. the contact form).
 Login/logout CSRF.
 Attacks requiring physical access to a user's device.
 Missing security headers which do not lead directly to a vulnerability.
 Use of a known-vulnerable library (without evidence of exploitability).
 Reports from automated tools or scans.
 Reports of spam (i.e., any report involving ability to send emails without rate limits).
 Presence of autocomplete attribute on web forms.
 Rate limit testing of web forms.
Thank You!
Thanks for helping to keep InStaff and our customers safe. We appreciate the effort.
Below is a list of security researchers (in alphabetical order) who have participated in our responsible disclosure program.