Security

ABOUT US

OUR TEAM

CAREERS

STANDARDS

CONTACT US

PRESS

Security at RealSelf

RealSelf treats the security and privacy of your data as our highest priority. To aid in protecting the security of your data, we have certain policies meant to provide clarity to security researchers and anyone who finds security-impactful defects in our site. If you have any questions about these policies, please contact us at security@realself.com.


Security Reporting

We welcome reports regarding potential security defects from anyone. If you find a potential issue, please send details of your findings to security@realself.com.

Please include at a minimum:

  • Your contact information (email is fine; we just need to be able to communicate with you to better understand your issue, so please don’t use a throwaway email address that expires in a few hours).
  • A description of the issue.
  • A description of the impact.
  • Steps for reproducing your finding.

We will attempt to provide an initial response to your issue as soon as possible, and in any case, not more than 10 US business days (excluding weekends and holidays) after receiving your report. We endeavor to fix issues as quickly as possible, and will share our timeline with you as soon as we are able; please understand that we may not be able to fix a reported issue based solely on an incomplete initial contact. (This is why we need your contact information.)

Security researchers are covered under our safe harbor pledge below.

Bug Bounty Program

We do not currently run a Bug Bounty program. While this is something we hope to be able to do in the future, we do not presently have a mechanism to reward our submissions based on their merit. 

Security Researcher Safe Harbor

Summary

We want you to responsibly disclose to us, and don’t want researchers put in legal fear because of their good faith attempts to comply with this policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action if you think it might go outside the bounds of our policy.

Terms

To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws. We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in our bug bounty program’s scope.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way defend, indemnify, or otherwise protect you from any third party action based on your actions.

That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in this bug bounty program, and you have sufficiently complied with our bug bounty policy (i.e. have not made intentional or bad faith violations), we will take steps to make it known that your actions were conducted in compliance with this policy.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this policy permits.

Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first!

If you submit a report to us which affects a third party service, we will not share your identifying information with any affected third party without your written permission. After notifying you that we intend to do so, we may report non-identifying content from your report with an affected third party, but only after getting their written commitment not to pursue legal action against you or initiate contact with law enforcement based on your report.

Please note that we cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of our policy. Refer to that third party’s Responsible Disclosure policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party action based on your actions.

To the extent your security research activities are inconsistent with certain restrictions in our Terms of Service but consistent with the terms of our bug bounty program, we waive those restrictions for the sole and limited purpose of permitting your security research under this Responsible Disclosure program.