- SQL injection vulnerabilities
- RCE (remote code execution) attacks
- Stored XSS
- Account takeover or accessing data that belongs to another account.
Out-of-scope vulnerabilities
The following types of vulnerabilities are out of scope for this program:
- Phishing
- Social engineering
- Physical security assessments
- Any form of denial of service (DoS) attack
Responsible disclosure guidelines
Security Researchers will disclose potential weaknesses in compliance with the following guidelines:
Do
- Share the security issue with us before making it public (e.g., on message boards, mailing lists, or other forums).
- Wait until we provide you notification that the vulnerability has been resolved before you disclose it to third parties. We're focused on the security of our customers and our systems, and some vulnerabilities take longer than others to address.
- Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
- Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Don't
- Don’t cause harm to Sender, its customers, shareholders, partners or employees.
- Don’t engage in any act that may cause an outage or stop any of Sender’s services.
- Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
- Don’t store, share, compromise or destroy any Sender data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.
- Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
