Responsible Disclosure policy Startselect

Startselect Security Vulnerability Reporting Guidelines

Discovered a Security Flaw?
If you’ve identified a potential security flaw in Startselect’s systems, we encourage you to notify us first, before disclosing it publicly, to allow us to take appropriate action. This approach is known as responsible disclosure and helps maintain the safety of our users and systems.

How to Report a Vulnerability:
Please send your vulnerability report to security[at]startselect.com. Note that this email is exclusively for reporting vulnerabilities. For customer support, please visit: startselect.com/help.

What to Include in Your Report:
To ensure that we can accurately reproduce and address the flaw, please provide detailed information, including:
•IP address or URL: Information related to where the flaw was found.
•Description of the Flaw: Include a clear explanation of the vulnerability and steps to reproduce it. If the flaw is complex, additional details will be helpful.
•Your Contact Information: An email address or phone number so we can reach out if we need further clarification.

Timing and Confidentiality:

•Report Promptly: Notify us of the flaw as soon as you identify it.
•Keep the Information Confidential: Avoid sharing details about the flaw with others until it has been resolved.
•Responsible Handling: Do not exceed what is necessary to demonstrate the flaw.

Quality and Language of Reports:
Startselect reserves the right to discontinue responses or processing for reports that are invalid, of low quality, lack clarity, or cannot be expanded upon. Reports in languages other than English will not be processed.

What Not to Do:
To ensure your report meets our guidelines and is eligible for consideration, please avoid the following:
•Sending malware
•Copying, modifying, or deleting data from our systems (a directory listing is acceptable as an alternative)
•Altering the system
•Visiting the system repeatedly or granting access to others
•Using brute force attacks
•Attempting denial of service or social engineering
•Using automated scanning tools or exploit tools

What You Can Expect from Startselect:
•No Legal Repercussions: If you adhere to these guidelines, Startselect will not attach legal consequences to your notification.
•Confidential Treatment: Startselect handles all reports confidentially and will not disclose your personal information to third parties without your permission unless required by law.
•Acknowledgment: You will receive an acknowledgment of receipt within three working days of your submission.
•Response Timeline: Within three working days, you’ll receive an assessment of your report and an expected timeline for addressing the flaw.
•Progress Updates: We will keep you updated on the progress of resolving the issue.
•Resolution Timeline: Startselect aims to resolve security flaws as swiftly as possible, and no later than 60 days from the date of notification.
•Public Disclosure: We will work with you to decide whether and, if applicable, how to publicly disclose the flaw after it has been resolved.
•Reward Policy: Startselect may provide a reward to recognize your contribution. Rewards are determined at Startselect’s discretion and are based on the vulnerability’s severity and report quality. Please note that submitting a report does not guarantee qualification for a (paid) bounty.

Out-of-Scope Vulnerabilities:
The following vulnerabilities are considered out of scope for Startselect’s responsible disclosure program and will not be eligible for rewards or further action:
•Social Engineering: Including any attacks targeting internal employees.
•Physical Attacks: Against infrastructure, facilities, or offices.
•Automated Reports/Scans: Including scanner outputs or any automated or active exploit tools.
•Employee Account Compromise: Vulnerabilities discovered by compromising an employee’s account.
•Email and Spam Policies: SPF, DMARC issues, spam, or attacks using spoofed emails.
•Network Vulnerabilities
•Account Takeover Risks: PLA, user enumeration, etc.
•Clickjacking & CSRF: Including login/logout CSRF.
•Information Disclosure: Fingerprinting, error messages, etc.
•Protocol-Level Attacks: BEAST/BREACH, etc.
•Security Headers: Including missing HTTP-only flags, etc.
•Tabnabbing
•Cache Vulnerabilities: Cache issues post-logout.
•Password Policies
•Compromised Credentials: Found in the wild (e.g., haveibeenpwned).
•Rooted Device Vulnerabilities: Any app vulnerabilities requiring rooted devices (Android/iOS).
•Unsupported/EOL Systems: Flaws on systems or OS that are end-of-life or unsupported (e.g., Android 11).

For further guidance on valid reports, refer to Google’s Bug Hunter Guidelines, which align with our view on common non-vulnerabilities.

Last updated: 1 November 2024