This policy is intended for security researchers who have an interest in reporting security vulnerabilities or even potential security-related issues to the SessionLab security team.
This also sets our definition of good faith in the context of finding and reporting security vulnerabilities, as well as what you can expect from us in return for your effort, time, good will, and professional behavior.
SessionLab’s VDP initially covers the following assets for reporting:
As we move forward on this experience we will add more assets to our scope, so stay tuned!
First Response Time: when you send us the initial submission, we will make our best effort to reply to you as soon as possible. Expect a reply from one of our team members in five workdays or less (we always have something to do so we might not respond to emails as fast as you would expect us to 😉).
Triaging Time: we are committed to working with security researchers to help identify and fix vulnerabilities on any of our scoped systems, and we will try to keep you updated about the progress of your report throughout the triage process. Keep in mind that this could take up to 15 workdays (three weeks) from the initial submission day.
Safe Harbor: we promise that we will NOT take any legal action on participating researchers who act in good faith by following the guidelines outlined in this policy. If you have any doubt about this or any point of this policy, submit your report to us before engaging in conduct (accidental or not) that may be inconsistent with or unaddressed by this policy, or don't hesitate to use one of our communication channels listed in this policy to contact us.
Research Safety: If you come up with some fancy new techniques/vulnerabilities that you want to keep secret, eg.: until you present them at a security conference (this must be aligned with this document), we can assure you we will keep it secure, confidential and encrypted, and we will not share it with any third party.