Spotio, Inc., the cloud base SAAS platform for FIELD SALES ENGAGEMENT PLATFORM is committed to ensuring the safety and security of our products, services, and customers. As such, we are publishing this Policy and Program.
- Respect the rules. Operate within the rules set forth here, or speak up if in strong disagreement with the rules.
- Respect privacy. Make a good faith effort not to access or destroy another user’s data.
- Be patient. Make a good faith effort to clarify and support their reports upon request.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
This Program shall only apply to our SAAS platform we license to our customer as a subscription plan to use on endpoint: https://app.spotio2.com .
This Program does not apply to our website and non-service-oriented infrastructure, and certain vulnerabilities. The following are examples (but not a limited list) of properties and vulnerabilities that are out of scope:
- *.spotio.com web properties
- Attacks involving stolen credentials or physical access to endpoint devices
- Automated Scans (without an exploitable PoC)
- Host Header Injection (without providing an exploitable scenario)
- Content Spoofing Vulnerabilities
- HTTP Trace method is enabled
- Denial of Service (DoS) or DDoS
- DLL hijacking (without escalation of privileges)
- DNS configuration related issues (including email ones)
- Issues present in older versions of browsers, plugins, or any other software
- Low Severity Clickjacking Vulnerabilities
Spotio, Inc. will not engage in legal action against individuals who, in good faith, submit vulnerability reports following these guidelines and procedures.
How to Submit a Vulnerability
First, you should review and agree to the Responsible Disclosure Agreement. Then, submit the vulnerability report to firstname.lastname@example.org.
Upon receipt of the report, we will review and investigate the vulnerability as soon as practicable and no later than within 30 days from receipt of the report. You will be notified when this investigation starts. We use CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. If we determine that vulnerability requires remediation, we will start remediating the vulnerability as soon as practicable.
After remediation, you may be eligible to receive a bounty payment, subject to the terms and conditions of the Responsible Disclosure Agreement. While we use CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity, we reserve the right, in our sole discretion, whether the vulnerability qualifies for a bounty payment.
This policy is current as of January 9, 2021