Responsible Disclosure Policy
Effective January 2018
To that end, Favor welcomes responsible disclosure of vulnerabilities by researchers. We do NOT have a bug bounty program, and do NOT pay for vulnerability information. To contact Favor, please reach out to us at firstname.lastname@example.org. Our PGP key can be found at https://favordelivery.com/pgp-key.txt
Favor will not take legal action against individuals who report vulnerabilities in accordance with the policy as outlined below.
- 3rd party applications and services in use by Favor
- Favor’s corporate networks
Out of scope vulnerabilities and reports include:
- Social engineering
- Denial of service
- Brute forcing
- Weak passwords
- Lack of headers
- SSL vulnerabilities
- Reports from automated scanning tools
- Destruction of data
- Changing passwords and account information for accounts that do not belong to you
- Abusing vulnerabilities to steal from Favor by receiving unearned Runner payment or free/ discounted deliveries
- Theft of data
- Publishing of private or company information
In order to ensure compliance with this policy, individuals should stop testing after discovering a vulnerability and not attempt to escalate. Feel free to include suspected lateral or escalation paths in your report. Additionally, in order to avoid stealing or damaging other’s data, researchers should focus testing on accounts and information that they have created and control.
Researchers are welcome to publicly disclose their findings 30 days after Favor informs the researcher that the vulnerability has been closed. Please contact the Favor security team at email@example.com with any questions.
Favor reserves the right to modify, suspend, or remove this policy at any time without notice. Favor will have no liability with regards to the actions of any researcher. Researchers are responsible for following all applicable laws.