Hello security researcher!
Security and privacy is not just important to polypoly, but at the core of our business. polypoly appreciates your effort to help us build a new, secure and transparent data economy.
If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, the polypoly Information Security Team wants to hear from you.
This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
All legitimate reports will be investigated and if required the problem will be fixed or mitigated as soon as possible. We ask that you follow this Vulnerability Disclosure Policy, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services during your research.
In order to protect our customers and members, polypoly kindly asks that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and have informed our customers, members and partners, if needed.
This policy applies to any digital assets (including public facing websites) owned, operated, or maintained by polypoly.
A reference to "polypoly" in this policy means any of the following organisations:
Any asset or other equipment not owned by polypoly is out of scope.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
Any of the following activities are prohibited and out of scope:
We kindly ask you to not send any reports about security issues without any proven impact.
When responsibly disclosing vulnerabilities and working with us according to this policy, you can expect us to:
In response to your initial submission email you will receive an acknowledgement reply email from the polypoly Information Security Team. We aim to respond within one working day of your report being received.
Following the initial contact, our Information Security Team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope. We aim to respond within 7 working days of your report being received.
From this point, necessary remediation work will be assigned to the appropriate polypoly teams and/or supplier(s). Priority for security bug fixes and/or mitigations will be assigned based on the severity and complexity of exploitation. If necessary, polypoly will obtain a CVE number for the vulnerability.
Our goal is to remediate critical security issues within 7 working days of triage being finished, and within a maximum of 30 working days for any other issue. However, especially when third-party dependencies and external suppliers are involved, remediation may take longer, in which case we will share the estimated remediation time with you. Our Information Security Team will notify you when the reported vulnerability is resolved and will ask you to confirm that the solution covers the vulnerability adequately. For all qualifying vulnerabilities polypoly will publish a security advisory and ask for details you wish to be included. We will also offer to include reporters of qualifying vulnerabilities on our security acknowledgments page.
If polypoly publishes a security advisory we will notify you accordingly. Afterwards you are welcome to publish your findings.
At this time polypoly is not offering a paid bug bounty program.
However, we will offer to include reporters of qualifying vulnerabilities on our security acknowledgement page and to include their details in our security advisories.
In participating in our vulnerability disclosure program in good faith, we ask that you:
When submitting a report, we ask that you:
Please contact polypoly's Information Security Team at firstname.lastname@example.org to report security issues, providing all relevant information.
Please use our PGP key to encrypt your email messages when reporting security issues.
When conducting vulnerability research according to this policy, we consider this research to be:
You are expected, as always, to comply with all applicable laws, and not to intentionally disrupt or compromise polypoly systems and services.
If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
polypoly reserves the right to make the determination of whether a violation of this policy is accidental or in good faith. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us through one of our Official Channels before going any further.
Please note that the Safe Harbor applies only to legal claims under the control of the polypoly organisations participating in this policy, and that the policy does not bind independent third parties.
Last Updated: May 4th, 2021
polypoly would like to thank the following individuals and organisations for responsibly disclosing a security vulnerability in a polypoly online service or product in accordance with polypoly's Vulnerability Disclosure Policy.