Rezdy is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is a important means of achieving our security goals.
If you believe you have found a security vulnerability in one of our products, we welcome and greatly appreciate you reporting it to email@example.com, as long as it falls in scope and is not one of the types of vulnerability listed as out-of-scope below.
Domains IN SCOPE are:
The following items can be reported to us via email, but are out of scope for bounty rewards:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Vulnerabilities related to 3rd-party software, libraries & scripts
- Content-Security-Policy and X-Frame headers (including clickjacking)
- Rezdy API keys publicly available
- CORS configuration
The following items should not be reported:
- Stack traces
- Application or server error messages
- Use of out-of-date 3rd party libraries without proof of exploitability
- Password or account recovery policies, such as reset link expiration or password complexity
- Reports from automated web security scanners
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Disclosure of known public files or directories, (e.g. robots.txt)
- Vulnerabilities only affecting end of life browsers or platforms
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Content spoofing/text injection
- Presence or absence of HTTP headers (nosniff, HOST, etc.)
- Server information disclosure (e.g. version, hostname)
To encourage coordinated disclosure, Rezdy does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:
- Researchers will report details of a discovered security issue to Rezdy without making any information or details of the vulnerability public
- Researchers will allow Rezdy reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known. Rezdy will commit to provide an initial response to the researcher within 30 days.
- Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the privacy of any Rezdy customer or data. This includes disrupting or degrading Rezdy’s products and service to its customers.
The following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:
- Denial of service
- Brute-force attacks
- Social engineering (including phishing) of Rezdy staff or contractors
- Any physical attempts against Rezdy property
At this time, we are not automatically awarding bounties or cash rewards for reported vulnerabilities. However, we’re able to reward researchers who find highly critical issues on a case-by-case basis.