We acknowledge the valuable role that independent security researchers play in security and, as a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Sendy iscommitted to working with security researchers to verify and address any potential vulnerabilities that are reported to us in accordance with this responsible disclosure policy.

 

#Reporting a Potential Security Vulnerability#

 For the security of our users and service, we ask that you do not share details of the suspected vulnerability publicly or with any third party.

Please report the details of any suspected or detected vulnerabilities with Sendy by sending an email to `security@sendyit.com` , including the following information:

- Your name

- Vulnerability details with information to allow us to efficiently reproduce your steps and validate the vulnerability.

 

#What We Are Looking For#

 Cross-site Scripting (XSS)

Cross-site Request Forgery (CSRF)

Server-Side Request Forgery (SSRF)

Database Injections

Remote Code Execution Vulnerabilities (RCE)

XML External Entity Attacks (XXE)

Access Control Issues

Exposed Administrative Panels that don't require login credentials

Subdomain TakeOver vulnerabilities

Anything not listed but important

 

#What We Are Not Looking For#

Vulnerabilities requiring physical access to the victim's unlockeddevice

Denial of Service attacks

Brute Force attacks

Spam or Social Engineering techniques

Content Spoofing

Best practices concerns

Issues relating to Password Policy

Issues relating to token lifetime

User enumeration

Full-Path Disclosure on any property

CSRF-able actions that do not require authentication (or a session) to exploit

Version number information disclosure

Reports related to missing security headers

CSV Injection

Lack of rate limiting

Reverse Tabnabbing

Bugs that do not represent any security risk

Vulnerabilities that are limited to unsupported browsers

 

#Our Commitment to Security Researchers#

 If you responsibly report a vulnerability in accordance with this policy, we will:

 Promptly respond to acknowledge the receipt of your report.

Provide an estimated timeframe for addressing the vulnerability.

Notify you when the vulnerability has been remediated.