Have you discovered a security flaw at Startselect?
Please notify us before informing the outside world, so that we can first take action. Doing so is called ‘responsible disclosure’.
What to do:
Report a vulnerability via an email to security[at]startselect.com. This email can only be used for vulnerability reports.
For customer support go to: https://startselect.com/help
Give enough detail to enable us to reproduce the flaw so that it can be remedied as soon as possible. The computer’s IP address or URL and a description of the security flaw is usually sufficient. The more complicated the flaw, the more detail we will require.
Leave your contact details so that we can contact you later. At least an email address or telephone number.
Report the flaw as soon as possible after discovering it.
Do not share any information about the flaw with others until it has been remedied.
Deal responsibly with the information in your possession. Do nothing beyond what is necessary to demonstrate the security flaw.
We have the right to stop responding/processing one or more reports from you. We do this when, for example, we receive a lot of invalid reports from you. Or when your reports are of insufficient quality, are unclear or cannot be given more detail. When we receive reports in languages other than English, we will not process them.
What not to do:
Copy, change, or delete data in the system concerned (as an alternative, you can create a directory listing of the system);
Change the system;
Repeatedly visit the system or share access with others;
Use ‘brute force’ to open the system;
Try denial of service or social engineering.
Use automated scanners or other automated tools
What to expect:
When you report the security flaw, check that you comply with the conditions described above. If you do so, Startselect will not attach any legal consequences to your notification.
Startselect treats the notifications it receives confidentially. It will not share your personal details with third parties without your permission unless required to do so by law or a court order.
Startselect can, if you wish, mention your name as the one who discovered the security flaw.
Startselect will send you an acknowledgement of receipt within three working days.
Startselect will respond to your notification within three working days. Its response will contain an assessment of your notification and the date on which it expects to remedy the flaw.
Startselect will keep you – as the one who discovered the flaw – informed of the progress made in remedying it.
Startselect will remedy the flaw as soon as possible, certainly no later than 60 days after receiving the notification. Startselect will work with you to determine whether and, if so, how the flaw reported is to be made public. It will not be made public until after it has been remedied.
Startselect can give you a reward as acknowledgement of your assistance. Depending on the severity of the vulnerability and the quality of the report, that reward may vary. A reward is granted solely at the exclusive discretion of Startselect.
Social engineering attacks, including those targeting internal employees
Physical attacks against our infrastructure, facilities and offices
Scanner output or scanner-generated reports, including any automated or active exploit tool
Any vulnerability obtained through the compromise of employee account
Email policies like SPF or DMARC. Spam. Attacks using spoofed or fake emails
Account takeover (PLA, User enumeration, etc)
Clickjacking, Login/logout CSRF
Fingerprinting, error message disclosure
Protocol level attacks (e.g BEAST/BREACH)
Lack of security headers, httponly flags, etc
Cache after logout
Please also take a look at https://bughunters.google.com/learn/invalid-reports. We pretty much follow Google's view that these should not be seen as vulnerabilities.
Last updated: 11 June 2022