Vulnerability Disclosure Policy
We take security of our assets with utmost seriousness. We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services to better protect our customers.
We ask that you follow our Vulnerability Disclosure Policy Guidelines and make an effort in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our service whilst you research.
How to report a vulnerability
If you identify a potential vulnerability in Instarem’s web or mobile applications, we encourage you to report it to us immediately at [email protected].
Things to note when preparing the report
- Write a detailed PoC (Proof of Concept) with screenshots elaborating the exact steps performed to exploit the issue as well as highlighting the risks associated with it.
- To ensure confidentiality, password-protect the document before sharing with us.
- We urge the reporter to keep any communication regarding the vulnerability disclosure confidential.
Eligibility of the report
Upon receiving a vulnerability report, Instarem shall investigate and verify the vulnerability, and determine if it’s eligible for our reward program.
- Duplicate check – whether the vulnerability has already been reported before.
- Criticality of the vulnerability – In scoring the vulnerabilities, Instarem adheres to industry best practices to designate the vulnerability’s impact as high, medium, or low.
- Potential impact to our infrastructure.
Factors excluded from vulnerability disclosure program
- Physical attacks against Instarem employees, offices.
- Social engineering of Instarem employees, contractors, vendors, or service providers.
- Knowingly posting, transmitting, uploading, linking to, or sending any malware.
- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
- Any vulnerability obtained through the compromise of a Instarem customer or employee accounts. If you need to test a vulnerability, please create a free account.
Confirmation of vulnerability and reward
- Instarem shall then release a fix to address the issue at the earliest.
- Instarem shall endeavor to keep the reporter apprised of the status of vulnerability.
- Instarem shall reward the reporter with a credit as deemed appropriate.
Only non-duplicate vulnerabilities classified as ‘High’ shall be considered for reward.