Vulnerability Disclosure Program
Ship.com is committed to ensuring the safety and security of our customers. To help achieve this goal we have created this policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community.
Ship.com’s Vulnerability Disclosure Program covers the following items:
- Ship.com’s website
- Ship.com’s iOS tracking app
- Ship.com’s Android tracking app
Ship.com will not engage in legal action against individuals who submit vulnerability reports through this program. We openly accept reports for the products listed above. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming Ship.com or its customers
- Engage in vulnerability testing with the scope of this program
- Test on Products without affecting customers, or receive permission from customers before engaging in vulnerability testing against their device
- Adhere to the laws of their location and the location of Ship.com
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires
How to Submit a Vulnerability
To submit a vulnerability report to Ship.com, please send an email to firstname.lastname@example.org with the subject “Vulnerability Disclosure Program Submission”.
Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.
What we would like from you:
- Well-written reports in English have a higher chance of resolution.
- Reports that include proof-of-concept code allow us to better triage.
- Reports that include items not in the initial scope will receive lower priority.
- Please include how you found the vulnerability and any potential remediation.
- Please include any intentions for public disclosure.
What you can expect from us:
- A timely response to your email.
- After triage, we will send an expected timeline, and commit to being as transparent as possible.
- An open dialog to discuss issues.
- Notification when the vulnerability has completed each stage of our review.
- Credit after the vulnerability has been fixed.
If we are unable to resolve communication issues or other problems, Ship.com may bring in a neutral third party to assist in determining the best way to handle the vulnerability.