Home
/
Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

01/24/ 2024

At Guidde Inc., we're committed to maintaining the highest security standards for our cloud-based services and customer data. This vulnerability disclosure portal enables security researchers to report potential security concerns within our SaaS infrastructure and applications.

Scope

In-Scope Targets:

  • guidde.com and associated subdomains
  • Guidde web application (app.guidde.com)
  • Guidde API endpoints (app.guidde.com)
  • Desktop applications published under Guidde Inc.
  • Client-side browser extensions
  • Authentication and authorization mechanisms
  • Cloud infrastructure configuration

Security Researcher Partnership

We pledge to:

  • Maintain confidential communication channels with researchers through encrypted email or secure messaging
  • Provide timely acknowledgment according to our “Response Timeline”
  • Issue security advisories for critical vulnerabilities after patching
  • Offer recognition through our security hall of fame
  • Consider monetary rewards for critical findings based on severity and impact

Response Timeline

  • Critical Vulnerabilities (CVSS 9.0-10.0): 24-hour initial response, 7-day fix target
  • High Vulnerabilities (CVSS 7.0-8.9): 48-hour initial response, 14-day fix target
  • Medium Vulnerabilities (CVSS 4.0-6.9): 72-hour initial response, 30-day fix target
  • Low Vulnerabilities (CVSS 0.1-3.9): 5-day initial response, 90-day fix target

Guidelines for Submissions

Please provide:

  • Detailed proof-of-concept code or exploit steps
  • Impact assessment and affected components
  • CVSS v3.1 score calculation when applicable
  • Any tools or scripts used during discovery
  • Suggested remediation approaches
  • Video/screenshots demonstrating the vulnerability

Program Exclusions

We do not accept reports related to:

  • Physical security assessments
  • Social engineering or phishing attempts
  • Denial-of-service testing
  • Brute force attacks
  • Rate limiting issues
  • Missing security headers that don't lead to exploitable vulnerabilities
  • Self-XSS requiring significant user interaction
  • Clickjacking without demonstrated security impact
  • Recently disclosed public CVEs (within 2 weeks)
  • Vulnerabilities in outdated browsers/platforms
  • Third-party components without working proof-of-concept

Safe Harbor

Security researchers who:

  • Follow this policy
  • Make good faith efforts to avoid privacy violations, data destruction, or service interruption
  • Do not exploit vulnerabilities beyond necessary proof-of-concept

Will be protected from legal action by Guidde Inc.

Last Revised: 01/24/2024

Thank you for contacting us. We will get back to you within 2 working days.
Oops! Something went wrong.