Partnerize is strongly committed to safeguarding data entrusted to us by our clients and their partners. We appreciate the collective goodwill of the technical community. We appreciate the willingness of security flaw reporters to help us discover and address security flaws.
Like a growing number of progressive technology companies, we have striven to make it straightforward for you to report issues you may find. We appreciate your willingness to help us provide strong data security and want to make it simple for you to report your observations.
Please note, we do not have a public “Bug Bounty” program.
We appreciate your willingness to inform us of your findings, and we pledge to investigate and follow up thoroughly to resolve the issues that are identified. We’ve created a special form to make it easy to flag an issue for our team.
When you report a potential security vulnerability, we recognize that it takes time and commitment to do so, and that you expect us to investigate and address that suspected flaw. Here is an outline of the actions we take:
- Our security team reviews and investigates all reports of security flaws submitted via this responsible disclosure system.
- We want to make it easy for reporters to provide information to us about a potential vulnerability. Therefore, we have created a form-based system that solicits all the information we need to conduct a proper investigation.
- We recognize the positive intentions of flaw reporters acting in good faith and will not investigate or pursue legal action against good-faith actors if a flaw is discovered and reported in good faith
- Respond and acknowledge your report within seven calendar days
- Request any additional information we need to investigate your report if required
- Work with you to confirm the vulnerability, the extent to which it affects us, and let you know how long we think the vulnerability will take to fix. Our aim is to fix vulnerabilities within 90 days of confirmation
- Notify you when the vulnerability has been fixed
- Review what went wrong and update our practices and processes to improve our products and services
- We adhere to all requirements for disclosure of security breaches to appropriate authorities according to the laws of the various countries and locales in which we operate.
If applicable, we will report potential security flaws with clients so that they are aware of ongoing risks and can take necessary actions if applicable.
We expect reporters to:
Ensure that the confidentiality of our customers data is respected at all times. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords and other credentials. Do not save, store or transmit this information.
Act in good faith. Please:
- Work with us. Promptly report any findings to us. Stop testing once the first vulnerability has been discovered. Explicit permission must be given by Partnerize to continue testing.
- Don’t exfiltrate any data. A proof of concept should be used to demonstrate the vulnerability.
- Don’t use a vulnerability to disable further security controls
- Don’t undertake any form of social engineering
- Don’t perform any testing of physical security at any Partnerize sites
- Don’t break the law, or any agreements you may have with Partnerize or third parties
- Ensure that the confidentiality of our customers’ data is respected at all times. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords, and other credentials. Do not save, store or transmit this information
- Don’t perform testing likely to delete, destroy or corrupt anyone else’s data
- Don’t perform testing likely to affect other users e.g. denial of service and brute-force attacks, spamming
- Don’t use automated scanners/fuzzers
INSTRUCTIONS FOR PARTNERIZE EMPLOYEES AND CONTRACTORS
If you are a Partnerize employee or contractor, use the internal process for reporting incidents, rather than the Responsible Disclosure form. For more information contact the Security Team.
HOW TO FILE A RESPONSIBLE DISCLOSURE TICKET
Please fill out the form we have created for this purpose.
When you click send, the form will send the relevant information to members of our security team, who will investigate promptly. We will follow-up with you within seven working days to acknowledge your message, ask further questions, and provide more information.
Thanks again for your willingness to help us provide a secure environment for data.
Partnerize Security Team