RealSelf treats the security and privacy of your data as our highest priority. To aid in protecting the security of your data, we have certain policies meant to provide clarity to security researchers and anyone who finds security-impactful defects in our site. If you have any questions about these policies, please contact us at firstname.lastname@example.org.
We welcome reports regarding potential security defects from anyone. If you find a potential issue, please send details of your findings to email@example.com. (If it fits within the scope of our bounty program, you are also welcome to submit it through that; please see Bug Bounty Program, below.) Please include at a minimum:
- Your contact information (email is fine; we just need to be able to communicate with you to better understand your issue, so please don’t use a throwaway email address that expires in a few hours).
- A description of the issue.
- A description of the impact.
- Steps for reproducing your finding.
We will attempt to provide an initial response to your issue as soon as possible, and in any case, not more than two US business days (excluding weekends and holidays) after receiving your report. We endeavor to fix issues as quickly as possible, and will share our timeline with you as soon as we are able; please understand that we may not be able to fix a reported issue based solely on an incomplete initial contact. (This is why we need your contact information.)
Security researchers, whether participating in our public bug bounty program or not, are covered under our safe harbor pledge below.
Bug Bounty Program
We host our public bug bounty program with Bugcrowd. Our program brief describes our program, its scope, the rewards, and the expectations that we have for researchers participating in the program (including how you should identify yourself on the site, and that researchers should never contact other RealSelf users or jump into existing conversations). We also call out a specific list of third-party services linked to RealSelf subdomains, which we cannot give consent for you to test. We welcome everyone’s participation in the bug bounty.
Security Researcher Safe Harbor
We want you to responsibly disclose through our bug bounty program, and don’t want researchers put in legal fear because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action if you think it might go outside the bounds of our policy.
To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws. We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in our bug bounty program’s scope.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way defend, indemnify, or otherwise protect you from any third party action based on your actions.
That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in this bug bounty program, and you have sufficiently complied with our bug bounty policy (i.e. have not made intentional or bad faith violations), we will take steps to make it known that your actions were conducted in compliance with this policy.
You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this bug bounty program permits.
Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first!
If you submit a report through our bug bounty program which affects a third party service, we will not share your identifying information with any affected third party without your written permission. After notifying you that we intend to do so, we may report non-identifying content from your report with an affected third party, but only after getting their written commitment not to pursue legal action against you or initiate contact with law enforcement based on your report.
Please note that we cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of our policy. Refer to that third party’s bug bounty policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party action based on your actions.
To the extent your security research activities are inconsistent with certain restrictions in our Terms of Service but consistent with the terms of our bug bounty program, we waive those restrictions for the sole and limited purpose of permitting your security research under this bug bounty program.