Vulnerability Disclosure Program

Overview

At Blockit, we take security seriously and appreciate the efforts of security researchers who help us maintain the highest standards of security for our users. This Vulnerability Disclosure Program outlines how security researchers can responsibly report potential vulnerabilities to us.

Scope

This program covers all Blockit-owned systems, applications, and services, including:

  • Web Applications: All Blockit web applications and APIs
  • Mobile Applications: Blockit mobile apps (iOS and Android)
  • Infrastructure: Blockit-controlled servers and network infrastructure
  • Domains: All subdomains under *.blockit.com
  • Third-Party Integrations: Blockit-specific implementations of third-party services

In Scope Vulnerabilities

We are particularly interested in vulnerabilities that could lead to:

  • Remote code execution (RCE)
  • SQL injection
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication bypass
  • Authorization flaws
  • Server-side request forgery (SSRF)
  • Information disclosure
  • Privilege escalation
  • Data exposure or leakage
  • Business logic flaws
  • API security issues

Out of Scope

The following are NOT covered by this program:

  • Third-Party Services: Vulnerabilities in services we don't control (e.g., Google Workspace, Slack, etc.)
  • Social Engineering: Attacks targeting Blockit employees
  • Physical Security: Issues requiring physical access to Blockit facilities
  • Denial of Service (DoS): Attacks designed to overwhelm our services
  • Spam: Issues related to email spam or SMS spam
  • Missing Security Headers: Without demonstrable security impact
  • Self-XSS: Cross-site scripting that requires victim interaction
  • Clickjacking: On pages without sensitive actions
  • CSRF: On non-sensitive actions (e.g., logout)
  • Rate Limiting: Issues that don't lead to abuse
  • Version Disclosure: Software version information disclosure
  • SSL/TLS Configuration: Unless demonstrating actual vulnerability

Guidelines for Researchers

To qualify for this program, researchers must:

Do:

  • Act in Good Faith: Research conducted solely to identify and report vulnerabilities
  • Minimize Impact: Avoid accessing, modifying, or deleting user data
  • Respect Privacy: Do not access other users' accounts or data
  • Follow Responsible Disclosure: Report vulnerabilities before public disclosure
  • Provide Clear Documentation: Include steps to reproduce, impact assessment, and suggested remediation
  • Use Personal Accounts: Only test on accounts you own and control
  • Respect Rate Limits: Avoid automated scanning that could impact service availability

Don't:

  • Access User Data: Don't view, modify, or delete other users' information
  • Perform Destructive Actions: Don't delete data, modify configurations, or disrupt services
  • Social Engineer: Don't target Blockit employees or users
  • Violate Laws: Ensure all research complies with applicable laws
  • Demand Compensation: This is a coordinated disclosure program, not a bug bounty
  • Make Public Statements: Don't disclose vulnerabilities before resolution
  • Test on Production: Use staging environments when possible

Reporting Process

How to Report

Send vulnerability reports to: [email protected]

Report Requirements

Please include the following information in your report:

  1. Summary: Brief description of the vulnerability
  2. Severity Assessment: Your assessment of the potential impact
  3. Affected Systems: Specific URLs, endpoints, or systems affected
  4. Reproduction Steps: Detailed steps to reproduce the issue
  5. Proof of Concept: Screenshots, videos, or code demonstrating the vulnerability
  6. Impact Analysis: Potential business and security impact
  7. Remediation Suggestions: Your recommendations for fixing the issue
  8. Contact Information: How we can reach you for follow-up questions

Report Template

Subject: [SECURITY] Brief Description of Vulnerability

Vulnerability Summary:

[Brief description]

Severity: [Critical/High/Medium/Low]

Affected System(s):

[URLs, endpoints, or systems]

Steps to Reproduce:

1. [Step 1]

2. [Step 2]

3. [etc.]

Impact:

[Description of potential impact]

Proof of Concept:

[Screenshots, code, or detailed explanation]

Suggested Remediation:

[Your recommendations]

Researcher Contact:

[Your contact information]

Our Response Process

Acknowledgment

  • We will acknowledge receipt of your report within 2 business days
  • We may request additional information or clarification

Initial Assessment

  • We will provide an initial assessment within 5 business days
  • We will confirm whether the issue qualifies as a valid security vulnerability

Investigation and Resolution

  • Critical/High Severity: Resolution within 30 days
  • Medium Severity: Resolution within 60 days
  • Low Severity: Resolution within 90 days

Communication

  • We will keep you updated on our progress
  • We will notify you when the vulnerability has been resolved
  • We will coordinate with you on any public disclosure

Recognition

While this is not a paid bug bounty program, we value your contributions and offer:

  • Public Recognition: With your permission, we will acknowledge your contribution in our security acknowledgments page
  • Direct Communication: Access to our security team for coordinated disclosure
  • Professional Reference: We're happy to serve as a reference for your security research work

Legal Safe Harbor

Blockit commits to:

  • No Legal Action: We will not pursue legal action against researchers who follow these guidelines
  • No Law Enforcement: We will not report security research activities to law enforcement if conducted within these guidelines
  • Good Faith Interpretation: We will interpret your actions in the best possible light when evaluating compliance with these guidelines

Timeline Expectations

  • Report Acknowledgment: 2 business days
  • Initial Response: 5 business days
  • Status Updates: Every 14 days during active investigation
  • Resolution Timeline: Based on severity (30-90 days)
  • Disclosure Coordination: 90 days after resolution (negotiable)

Contact Information

Primary Contact: [email protected]

Business Hours: Monday-Friday, 9 AM - 5 PM PT

Response Time: We monitor security reports 24/7 and aim to respond within 2 business hours during business days.

Thank you for helping us keep Blockit secure for all our users.