Vulnerability Disclosure Policy

Version 1.1, Updated 28/08/2024

  1. Introduction
  2. Scope
  3. Reporting Guidelines
  4. What to Expect from Us
  5. Safe Harbor
  6. No Bounty Program
  7. Out of Scope
  8. Acknowledgments
  9. Continuous Improvement
  10. Security.txt File and Policy
  11. Contact Information

1. Introduction

At Leading Directions, the security and privacy of our users are of utmost importance. We recognize the valuable role that security researchers and the broader community play in identifying vulnerabilities. This policy outlines our approach to vulnerability disclosure, including how to report potential security issues, what to expect from us in response, and the legal considerations involved.

2. Scope

This policy applies to all application domains owned and operated by Leading Directions. We encourage the reporting of any security vulnerabilities found within this scope.

3. Reporting Guidelines

If you discover a security vulnerability in any of our applications, we ask that you:

  • Report Promptly: Please report the vulnerability as soon as possible to minimize the risk of harm to our users and data.
  • Submit Reports via Email: Send your findings to helpdesk@leadingdirections.com.au
  • Provide Sufficient Details: Include enough information for us to understand the nature of the vulnerability and reproduce it. The more detail you provide, the quicker we can address the issue.

4. What to Expect from Us

Upon receiving a vulnerability report, our process is as follows:

  • Acknowledgment: We will acknowledge receipt of your report within 72 hours.
  • Triage and Assessment: Our security team will assess the validity, impact, and severity of the reported vulnerability. This process typically takes up to 10 business days.
  • Resolution: If the vulnerability is confirmed, we will work to develop and deploy a fix as soon as possible, prioritizing based on the severity of the issue.
  • Communication: We will keep you informed of our progress throughout the process and notify you when the issue has been resolved.

5. Safe Harbor

We appreciate the responsible disclosure of security vulnerabilities and are committed to working with researchers in good faith. While we are not able to provide formal legal assurances, we offer the following commitments:

  • Good Faith Protections: If you act in good faith and comply with this policy when reporting a vulnerability, we will consider your actions to be ethical and will not pursue legal action against you.
  • Scope of Protections: This protection is offered as long as your actions are within the boundaries of what is already legally permissible. We encourage you to refrain from actions that could cause harm to our users, data, or systems.

6. No Bounty Program

We do not currently offer a bug bounty program or monetary rewards for vulnerability reports. However, we deeply appreciate your efforts and may acknowledge your contribution publicly (with your permission) or offer a letter of appreciation.

7. Out of Scope

While we welcome all reports that may enhance our security, some issues are out of scope for this policy:

  • Physical Attacks: Vulnerabilities that require physical access to hardware or infrastructure.
  • Social Engineering: Issues related to phishing or other social engineering attacks.
  • Denial of Service (DoS): Reports on vulnerabilities that primarily result in DoS attacks.
  • Third-Party Applications: Vulnerabilities in third-party services or applications that integrate with our systems but are not under our direct control.

8. Acknowledgments

We value and respect the contributions of the security community. While we cannot offer financial rewards, we are open to publicly acknowledging your efforts with your consent. If you prefer to remain anonymous, we will respect that choice as well.

9. Continuous Improvement

We are committed to continually improving our security practices, including our vulnerability disclosure process. This policy and our procedures will be reviewed and updated regularly to ensure they remain effective and aligned with industry standards.

10. Security.txt File and Policy

Our security.txt file is available at https://buddynote.com.au/.well-known/security.txt and provides contact information and instructions for reporting vulnerabilities. For further details on how this file is maintained, please refer to our Security.txt Policy.

11. Contact Information

For any questions or to report a vulnerability, please contact our security team at helpdesk@leadingdirections.com.au

Report a Vulnerability