At Contractbook, we prioritise the security of our systems. 🔒 We recognise the importance of collaboration with the security community and value the contributions of third-party researchers in helping us identify vulnerabilities.
This policy outlines our commitment to working with external security researchers, ethical hackers, and individuals who discover and report security weaknesses in our systems.
The policy applies to anyone who discover potential security vulnerabilities within Contractbook’s digital assets e.g. websites, applications, and network infrastructure.
We encourage responsible disclosure of any discovered vulnerabilities. If you believe you have found a security issue, we request that you:
A. Notify Us Privately: Contact our security team for reporting security vulnerabilities. Please refrain from publicly disclosing the issue until we have had an opportunity to review and address it.
B. Provide Sufficient Details: When reporting a vulnerability, please include as much information as possible to help us understand the nature and potential impact of the issue. This may include steps to reproduce the vulnerability, associated risks, and any relevant evidence.
C. Respect User Privacy: In your testing or research, ensure that you do not access, modify, or disclose personal data or confidential information without permission.
Please allow us with a reasonable amount of time to resolve
the issue before disclosing it to the public or a third party.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Contractbook service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
Upon receiving a report of a security vulnerability, we are committed to the following:
A. Timely Response: We will acknowledge the receipt of your report promptly and work diligently to investigate the issue.
B. Communication: We will maintain open and transparent communication throughout the resolution process, providing updates on the status and expected timeline for remediation.
C. Non-Retaliation: We will not pursue for legal action against individuals who report security vulnerabilities in good faith and in accordance with this policy.
Once a vulnerability is confirmed, we will take appropriate measures to address and remediate it. Our goal is to protect our systems and the security of our users and customers.
While researching, we ask you to refrain from:
A. Network denial of service
(DoS or DDoS) tests or other tests that impair system or data access
B. Sending unsolicited emails or spam
C. Social engineering or phishing of Contractbook employees, clients, or contractors
D. Any interference or physical testing against Contractbook's property or data centers (e.g. office access, tailgating)
We may revise this guideline from time to time.
The up-to-date version of the guideline is available on our website.
Contractbook is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@contractbook.com or reach out in the chat.