Security
Upgrade is committed to ensuring the safety and security of our customers, employees, contractors, business partners, and others who use our products and services. As part of this commitment, we’ve established a coordinated vulnerability disclosure program to provide guidance for our products and information systems.
We recognize that the security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and that fostering a relationship with the community can help improve our own security. You are encouraged to disclose to us any vulnerability in the Upgrade system.
Vulnerability Disclosure Program Policy
Policy
Upgrade is committed to maintaining the security of our systems and our customers’ information. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any of Upgrade’s products, systems, or assets.
During testing, please do not conduct denial-of-service (DoS) or resource-exhaustion attacks. If you believe you have identified a potential security vulnerability, please submit it pursuant to our Responsible Disclosure Program. Thank you in advance for your submission.
Program Guidelines
Researchers shall disclose potential vulnerabilities to Upgrade in accordance with the following guidelines:
- Do not engage in any activity that violates (a) any United States federal or state law or regulation or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
- Do not store, share, compromise or destroy Upgrade data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Upgrade. This step protects any potentially vulnerable data, and you.
- Do not engage in any activity that can potentially or actually cause harm to Upgrade, our customers, or our employees.
- Do not engage in any activity that can potentially or actually stop or degrade Upgrade services or assets.
- Do not initiate a fraudulent financial transaction.
- Do not conduct denial-of-service (DoS) or resource-exhaustion attacks;
- Provide Upgrade reasonable time to fix any reported issue, and do not disclose any reported issues publicly or to any third party without Upgrade’s express consent. Upgrade will consider any request from a researcher to make a public disclosure but reserves the right to deny such disclosure requests.
Upgrade may modify the terms of this policy or terminate the policy at any time.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issue is considered out of scope:
- Brute Forcing user accounts
Upgrade reserves all legal rights in the event of noncompliance with these guidelines. Once a report is submitted, Upgrade will endeavour to provide prompt acknowledgment of receipt of all reports (typically within two business days of submission) and to keep you reasonably informed of the status of any validated vulnerability that you report through this program.
How to Submit a Report
Email us at security-reports@upgrade.com. Please read the vulnerability reporting instructions below before submission.
Vulnerability Reporting Instructions
Upgrade asks that you include as much of the following information in your report as possible regarding the potential issue:
- Affected asset (potential attack surface)
- Type of potential issue discovered
- Estimate of the severity of the potential issue
- A proof-of-concept or functional exploit that demonstrates the potential issue (title, description with summary, steps to reproduce and supporting material and reference)
- The potential impact of the vulnerability (what security impact an attacker could achieve)
Once we receive your report, Upgrade will review and may contact you to request additional information.
By submitting a report, you agree to HackerOne's Terms and Conditions and acknowledge that you have read HackerOne's Code of Conduct and Disclosure Guidelines.