Responsible Disclosure Policy
RESPONSIBLE DISCLOSURE POLICY
RESPONSIBLE DISCLOSURE POLICY
At 17 Looms, safeguarding the integrity of our systems is paramount. We are committed to maintaining a secure environment for our customers. Should you, whether a security researcher or a member of the general public, discover any vulnerability within our systems, we value your contribution and pledge to work collaboratively with you to promptly address any reported issues. We are also dedicated to publicly acknowledging your efforts.
How to report a bug:
If you identify a vulnerability on any of our web platforms, please follow these steps:
- You can visit https://17looms.com/pages/contact . send us an email on support@17looms.com Please provide the necessary details to recreate the vulnerability scenario, such as screenshots, videos, or text instructions.
- Share your contact details (email, phone number) for our security team to reach out if further information is required to address the issue.
- Provide sufficient information to replicate the problem to facilitate a swift resolution.
- Refrain from disclosing the problem to others until it has been resolved.
- Do not engage in attacks on physical security, social engineering, distributed denial of service, spam, etc.
Eligibility:
Any bug that presents a significant vulnerability may be eligible for recognition, subject to our discretion. Security issues typically eligible for recognition are listed under Vulnerability Categories.
Vulnerability Categories:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Executions
- SQL Injections
- Server-Side Request Forgery (SSRF)
- Privilege Escalations
- Authentication Bypasses
- File Inclusions (Local & Remote)
- Protection Mechanism Bypasses (CSRF bypass, etc.)
- Leakage of Sensitive Data
- Directory Traversal
- Payment Manipulation
- Administration Portals Without Authentication Mechanism
- Open Redirects Allowing Theft of Tokens/Secrets
Rules:
- Respect the privacy of other users, and refrain from destroying data or disrupting our services.
- Only investigate bugs or findings within your own accounts. Do not target or disrupt other users' accounts.
- Do not attempt to compromise physical security measures or engage in social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- If a severe vulnerability allowing system access is discovered, do not proceed further.
- The decision to address and fix bugs lies with 17 Looms.
- Bug reports must not be disclosed to parties other than 17 Looms and are subject to our discretion.
- Any form of threat will disqualify you from the programme automatically.
- Exploiting or misusing a vulnerability for personal gain or benefit will disqualify the report automatically.
- Communications regarding bug disclosure with 17 Looms' Security/Technology Team must remain confidential. Researchers must delete all artefacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
Acknowledgments:
While we do not operate a cash/bug bounty programme, we are pleased to issue a certificate of recognition to individuals who report security issues responsibly and contribute to enhancing the security of 17 Looms' systems.
Contributors - 17 Looms Responsible Disclosure Programme:
We extend our gratitude to all individuals who have identified and reported vulnerabilities in 17 Looms' systems as part of the responsible disclosure programme. We sincerely appreciate their technical skills, security expertise, and constructive engagement with 17 Looms.