Pitchbox is dedicated to protecting data safety and security for our users. Our Vulnerability Disclosure Program provides security professionals with clear guidelines for conducting vulnerability discovery activities to encourage responsibility, professionalism, and discretion when dealing with any potential sensitive matters.
When acting in accordance with Pitchbox’s VDP objectives we expect you to:
Please note that participants of this program are required to maintain the confidentiality of all information related to your findings. Never disclose vulnerabilities or privileged information to any entity outside of Pitchbox before receiving our explicit permission. This will provide us the opportunity to remediate the issue(s).
Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
The following test methods are NOT authorized:
Pitchbox’s Vulnerability Disclosure Program covers Pitchbox-owned web services under the following domain(s):
Some components and services of Pitchbox are either hosted or operated by third-party vendors or partners (e.g. docs.pitchbox.com), and are excluded from the scope.
Vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system is in scope or not, please contact us first.
In-scope vulnerabilities include, but are not limited to security misconfigurations, SQL and XML injections, RCE, CSRF, XSS, etc.
Only manual or semi-manual tests will be accepted. Automated scan reports using scripts and/or tools are out of scope.
The following is out of scope:
Reports and activities that violate the allowed testing methods and scope parameters outlined above will be considered as acting in bad faith and will be treated as illegal.
Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
If you believe you’ve discovered a security issue or vulnerability in one of our products, please email us at email@example.com and include the following details:
We support PGP-encrypted emails so you can use our PGP public key to encrypt your communications with us.
Thank you for helping us keep Pitchbox safe and secure.