Responsible disclosure policy
Last Revised: November 23, 2021
Data security is a top priority for Sitka, and Sitka believes that working with skilled security researchers can identify weaknesses in any technology.
If you believe you’ve found a security vulnerability in Sitka’s service, please notify us at security@trustsitka.com as soon as possible after you discover a real or potential security vulnerability.
Guidelines
- If you believe you’ve discovered a potential vulnerability, please email us at security@trustsitka.com. We work to respond to all disclosures promptly.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten (10) business days of disclosure.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only interact with accounts you own or for which you have explicit permission from the account holder.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Exclusions
While researching, we ask you to refrain from the following testing methods:
- Distributed Denial of Service (DDoS) or other test that may impair access to or damage a system or data.
- Social engineering or phishing of Sitka employees or contractors.
- Spamming.
- Any attacks against Sitka’s physical property or data centers.
What You Can Expect from Sitka
- Within five (5) business days, we will acknowledge receipt of your submission.
- Within ten (10) days we will provide any additional follow-up information we are able to.
- At this point in time, we are not able to offer monetary compensation for submitted vulnerabilities.
Thank you for helping to keep Sitka and our users safe!