Vulnerability Disclosure Policy

If you believe you have discovered a bug in Radar's security, please contact us at [email protected]. By submitting a report, you acknowledge understanding of, and agreement to, this Vulnerability Disclosure Policy.

We operate a reward program for responsibly disclosed vulnerabilities. A reward may be provided for the disclosure of qualifying bugs, depending on severity. Radar rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our clients' or our clients' end users' data.

As with most security reward programs, we ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other clients' or end users' data. We do not reward denial of service, spam, or social engineering vulnerabilities. Although Radar itself and all services offered by Radar are eligible, vulnerabilities in third-party applications that use Radar are not.

Submissions

We request that you do not publicly disclose the issue. The team will review your report to ensure compliance with this policy. If your submissions is determined to be out of scope, it will be closed without action.

We will provide a status update once we have validated the submission and if we have decided to move forward. Please note that contacting our team to inquire about status of a submission will disqualify you from receiving a bounty for that submission. This includes posting on social media regarding a submission.

Restrictions

As with most security reward programs, we have a few restrictions:

  • We will only reward the first person to responsibly disclose a bug to us.
  • Automated testing is not permitted.
  • Any bugs that are publicly disclosed will not be rewarded.
  • Rewards are at our discretion, and we may cancel the program at any time.
  • Your testing must not violate any laws.
  • We cannot provide you a reward if it would be illegal for us to do so.

The following types of submissions are NOT eligible for a reward:

  • Scanner output or scanner-generated reports
  • Submissions without an accompanying proof-of-concept demonstrating vulnerability
  • Parameter pollution without side effects
  • Issues found through automated testing
  • Publicly-released bugs in internet software within 15 days of their disclosure
  • Advisory, informational, and best practice reports that do not include Radar-specific vulnerabilities
  • Denial-of-service, brute-force, and rate limit abuse or bypass
  • Password complexity or length
  • Spam, phishing, or social engineering techniques, including SPF/DMARC/DKIM
  • Content spoofing or IP address discovery
  • Version number information disclosure
  • Email or SMS flooding attacks
  • Clickjacking and issues exploited only by clickjacking
  • Reports related to the following security-related headers:
    • Strict Transport Security (HSTS)
    • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
    • X-Forwarded-For spoofing
    • X-Content-Type-Options
    • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)