Responsible Disclosure Policy

1. The Basics.

1. SurveySparrow’s we are committed to keeping our systems, network and product(s) secure. Despite the measures we take, the possibility of the presence of vulnerabilities cannot be neglected .  When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take swift action to scale up our security. 
2. If you believe that you have found a security vulnerability, please tell us about it.

2. How to report a vulnerability to us.

1. Under this Responsible Disclosure Policy, you are allowed to search for vulnerabilities however you shall not:

(i) execute or attempt to execute a Denial of Service (DoS).

(ii) make changes to the system.

(iii) install malicious software or malware of any kind.

(iv) conduct any activities such as phishing.

(v) scan or run tests in a manner that would degrade the operation of the service or negatively affect our customers in any way.

(vi) physically attack or damage SurveySparrow property, offices or data centers or attempt to do so.

(vii) run tests on third party applications, websites or services that integrate with SurveySparrow. 

1. Breach of the above restrictions can result in SurveySparrow taking legal action against you. 
2. If you discover a vulnerability please report it to [email protected].

3. How SurveySparrow handles a vulnerability disclosure

1. SurveySparrow will send you an automatic reply to let you know that we have received your report, and that we will contact you if we need more information.
2. SurveySparrow offers non-monetary rewards for the disclosure of security vulnerabilities in line with the internal program guidelines.
3. To protect our customers, we investigate all reported issues, but we do not confirm them publicly.

4. What we seek from you.

1. Submit your vulnerability report as soon as possible after discovery.
2. Do not abuse or exploit discovered vulnerabilities in any way for any purpose.
3. Do not share discovered vulnerabilities with any entities or persons other than SurveySparrow until after SurveySparrow has confirmed the vulnerability has been resolved
4. Provide us with adequate information to enable us to investigate the vulnerability properly (to be able to investigate properly, we will need to be able to efficiently reproduce your steps)
5. Provide us with information required to contact you (for instance: telephone number or email address)

5. Our response time.

1. We will respond to your report within 7 business days of receipt, with our evaluation of the report and an expected resolution date.
2. We will keep you regularly informed of our progress toward resolving the vulnerability.
3. If you have followed the above instructions, we will not take any legal action against you regarding the report.