Ensuring the security of our customers' information and assets remains our paramount concern. We actively encourage individuals who believe they have identified vulnerabilities in our systems to take prompt action in assisting us to enhance and fortify our system's safety by sharing their findings with us. We extend our gratitude to those who take the time to report any weaknesses they uncover, provided that they adhere to the following responsible disclosure guidelines:
Scope
Currently, Formalize's Responsible Disclosure Program pertains to security vulnerabilities discovered within any of the subsequent web services:
https://app.formalize.com/*
https://api.formalize.com/*
Rules of Engagement
Before submitting a vulnerability report, please familiarize yourself with the subsequent rules:
- Refrain from deliberately accessing non-public data beyond what is necessary to demonstrate the vulnerability.
- Avoid making permanent modifications or deletions of data hosted by Formalize.
- Do not engage in DDoS attacks or any actions that may disrupt, interrupt, or degrade Formalize's internal or external services.
- Under no circumstances create a backdoor within the system, even for the purpose of illustrating the vulnerability.
- Do not disseminate confidential information acquired from Formalize.
- Social engineering falls outside the scope. Please abstain from sending phishing emails or employing social engineering tactics against any individual, including Formalize staff, members, vendors, or partners.
- Do not employ brute-force techniques (e.g., repeatedly attempting passwords) to gain system access.
- Do not, in any way, target our end users or partake in the trade of stolen user credentials. However, if you become aware of such trading activities, your notification would be highly appreciated.
What to Report
Broadly speaking, we are interested in receiving vulnerability reports that pertain to:
- Exposing non-public client information
- Allowing a user to manipulate data that isn't their own
- Potentially leading to data compromise or leakage, directly impacting data confidentiality, integrity, or user privacy
Specifically, we are keen on vulnerabilities related to:
- Cross-site request forgery (CSRF/XSRF)
- Cross-site scripting (XSS)