Responsible Disclosure Policy

Last Updated: January 1, 2017

We take the security of our systems seriously and we also value the developer community. Our responsible disclosure policy promotes the discovery and reporting of security vulnerabilities to helps us ensure the security and privacy of our users. If you are a security researching please follow the guidelines and steps below to report vulnerabilities.

Guidelines

We require all security researchers to:

  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Plivo until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we will commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation within 72 hours of submission that your report has been received);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Award you Plivo credits that you can use however you would like

Scope

  • Plivo.com and its subdomains
  • Plivo’s products and services

Out of Scope

Any services hosted by 3rd party providers and services are excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from the scope:

  • Findings derived from physical testing through methods such as office access (e.g. open doors, tailgating, etc.)
  • Findings derived from social engineering (e.g. phishing, vishing, etc.)
  • Findings derived from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to receive

Under no circumstances should the following information of individuals be submitted including but not limited to Plivo customers and employees:

  • Personally identifiable information (PII)
  • Credit card or payment information

How to report a security vulnerability?

If you believe that you have found a security vulnerability in one of our products or platforms, please send it to security@plivo.com and include the following details with your report:

  • Description, and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability. If possible, please include POC scripts, screenshots, and compressed screen captures, as they will be help us identify the issues more quickly.