Responsible Disclosure Program Guidelines
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
- Do not engage in any activity that can potentially or actually cause harm to Fresh Start, our customers, or our employees.
- Do not engage in any activity that can potentially or actually stop or degrade Fresh Start services or assets.
- Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
- Do not store, share, compromise or destroy Fresh Start or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Fresh Start. This step protects any potentially vulnerable data, and you.
- Do not initiate a fraudulent financial transaction.
- Provide Fresh Start reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.
By responsibly submitting your findings to Fresh Start in accordance with these guidelines Fresh Start agrees not to pursue legal action against you. Fresh Start reserves all legal rights in the event of noncompliance with these guidelines.
Once a report is submitted, Fresh Start commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).
Out of Scope Vulnerabilities
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:
- Physical Testing
- Social Engineering. For example, attempts to steal cookies, fake login pages to
- collect credentials
- Denial of service attacks
- Resource Exhaustion Attacks