Predictive Index Responsible Disclosure Policy
Predictive Index is committed to the security of customer information. We value the assistance of security researchers in keeping our systems secure. If you are a security researcher, we appreciate your help in disclosing any vulnerabilities you discover in a responsible manner. Please review this policy before you test and report a vulnerability.
We convey our deep gratitude for your contributions by including you in our Security Researcher Hall of Fame. We do not provide monetary rewards for bug submission.
Prohibited Activities
Predictive Index does not permit the following types of activities:
- Actions that interrupts or degrades the functioning of Predictive Index services, including Denial of Service and Brute Force.
- Any attempts to access user accounts or data.
- Any attempt to modify or destroy data.
- Social engineering of Predictive Index employees, contractors, partners, or clients.
- Abuse of our service resources, including but not limited to sending unsolicited or unauthorized email.
- Publicly sharing the issue details without our permission.
- Attempting to blackmail us or trying to sell us your security report.
- Violating any laws or breaching any agreements.
When in doubt on whether your intended activity is permitted, contact us at vulns@predictiveindex.com.
Qualifying Vulnerabilities
Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues, privilege escalation and clickjacking.
Although each submission will be evaluated on a case-by-case basis, here are some issues which don’t qualify as security vulnerabilities:
- UI and UX bugs and spelling mistakes.
- TLS/SSL related issues.
- SPF, DMARC, DKIM configurations.
- Vulnerabilities due to out of date browsers or plugins.
- Content-Security Policies (CSP).
- Vulnerabilities in end of life products.
- Lack of secure flag on cookies.
- Username enumeration.
- Vulnerabilities relying on the existence of plugins such as Flash.
- Flaws affecting the users of out-of-date browsers and plugins.
- Security headers missing such as, but not limited to “content-type-options”, “X-XSS-Protection”
- Headers that can be removed for security reasons, such as “X-Powered-By”
- CAPTCHAs missing as a security protection mechanism.
- Issues that involve a malicious installed application on the device.
- Vulnerabilities requiring a jailbroken device.
- Vulnerabilities requiring physical access to mobile devices.
- Use of a known-vulnerable library without proof of exploitability.
- Tapjacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
Submission Requirements
Please submit your findings to vulns@predictiveindex.com and include the following:
- Location of the vulnerability.
- Full description of the vulnerability being reported, including exploitability and impact.
- Steps to replicate the vulnerability.
- Supporting evidence such as screenshots, traffic logs, requests and responses.
Please keep information about the vulnerability confidential until we review and resolve the issue. The timeframe for resolution depends on factors such as the severity, exploitability, and impact of the vulnerability, and the complexity of the solution. We will confirm the expected timeframe for resolution with you following the disclosure of the vulnerability.
What You Can Expect From Us
- We will respond to your report within 5 business days of submission to vulns@predictiveindex.com.
- We will work with you to understand and resolve the issue.
- When you follow the guidelines that are laid out in this policy, we will not pursue a lawsuit or a law enforcement investigation against you in response to your research.
- If you are the first to report a qualifying vulnerability in accordance with this policy, and we make a code or configuration change based on your report, we will recognize your contribution in our Security Researcher Hall of Fame.
Security Researcher Hall of Fame
Predictive Index thanks the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. We deeply appreciate your splendid contributions.
- Riya Jindal, https://twitter.com/riyajindal01
- Kokalagi Rushikesh, https://www.linkedin.com/in/3raasrk, https://twitter.com/3RaasRK
- Bingi Abhiram Goud, https://www.linkedin.com/in/abhiram-bag003/
- Siva Reddy, https://www.linkedin.com/in/siva-reddy-a7261a187
- Krishna Agarwal, https://www.linkedin.com/in/kr1shna4garwal
- Gaurang Maheta, https://www.linkedin.com/in/gaurang883/
- Nikhil Rane, https://www.linkedin.com/in/nikhil-rane-31733a217
- Aryan Jaiswal (Nova), https://www.linkedin.com/in/aryan-jaiswal-57b42a218/
- Bhuwam Dixit, https://www.linkedin.com/in/bhuwamdixit/, https://twitter.com/BBhuwam
- Mohamed Shibil, https://www.linkedin.com/in/mohamedshibil
- Ashish Rai, https://www.linkedin.com/in/ashish-rai-5b451b275/