Vulnerability Policy

At MeetAlfred we takethe security of our products and services very seriously – so the feedback weget from security researchers is appreciated. It helps us safeguard ourservices and protect our customers and their data.

We operate a policy ofresponsible disclosure for reporting security vulnerabilities. If you areinvolved with security research, please find the ins and outs of it here:

How to report asuspected security vulnerability

If you believe you’vefound a potential vulnerability, please use the vulnerability report form and give us as much detail about it as possible.

Please don’t make anyinformation about any vulnerabilities public, or do anything else that mightput our customers’ data or our intellectual property at risk. And do not degradeour systems.

What actions will wetake?

We’ll acknowledge yoursubmission and review the reported issue. If you’re right and there is anissue, we’ll give you an estimate for how long it will take to sort out.

Activity that we don’tallow:

We don’t allow anyactivity that might interfere with customers using our services, or anyactivity that might result in the modification, deletion or unauthorizeddisclosure of our intellectual property or personal customer data. With that inmind, these are some of the specific things we don’t allow:

  • Public disclosure of personal,     proprietary or financial information
  • The modification or deletion of     data that isn’t yours
  • Interruption, degradation or     outage to services (like Denial of Service attacks)
  • Spamming / social engineering /     phishing attacks
  • Physical exploits and/or     attacks on our infrastructure
  • Local network-based attacks     such as DNS poisoning or ARP spoofing

Vulnerabilitysubmissions that are out of scope of our responsible disclosure policy:

  • Accessible non-sensitive files     and directories (e.g. README.txt, robots.txt, etc.)
  • Fingerprinting / banner /     version disclosure of common / public services
  • Username / email enumeration by     brute forcing or by inference of certain error messages – except in     exceptional circumstances (e.g. the ability to enumerate email addresses     by incrementing a variable)