We acknowledge the valuable role that independent security researchers play in security and, as a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Sendy iscommitted to working with security researchers to verify and address any potential vulnerabilities that are reported to us in accordance with this responsible disclosure policy.
#Reporting a Potential Security Vulnerability#
For the security of our users and service, we ask that you do not share details of the suspected vulnerability publicly or with any third party.
Please report the details of any suspected or detected vulnerabilities with Sendy by sending an email to `firstname.lastname@example.org` , including the following information:
- Your name
- Vulnerability details with information to allow us to efficiently reproduce your steps and validate the vulnerability.
#What We Are Looking For#
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
Remote Code Execution Vulnerabilities (RCE)
XML External Entity Attacks (XXE)
Access Control Issues
Exposed Administrative Panels that don't require login credentials
Subdomain TakeOver vulnerabilities
Anything not listed but important
#What We Are Not Looking For#
Vulnerabilities requiring physical access to the victim's unlockeddevice
Denial of Service attacks
Brute Force attacks
Spam or Social Engineering techniques
Best practices concerns
Issues relating to Password Policy
Issues relating to token lifetime
Full-Path Disclosure on any property
CSRF-able actions that do not require authentication (or a session) to exploit
Version number information disclosure
Reports related to missing security headers
Lack of rate limiting
Bugs that do not represent any security risk
Vulnerabilities that are limited to unsupported browsers
#Our Commitment to Security Researchers#
If you responsibly report a vulnerability in accordance with this policy, we will:
Promptly respond to acknowledge the receipt of your report.
Provide an estimated timeframe for addressing the vulnerability.
Notify you when the vulnerability has been remediated.