At Follow Up Boss, we consider the security of our systems and products a top priority. No technology is perfect, and Follow Up Boss believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We welcome the contribution of external security researchers and want them to feel comfortable reporting vulnerabilities they’ve discovered, as set out in this policy, so that we can fix them and keep our users safe.
If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
We ask that you:
We accept and discuss vulnerability reports via email at firstname.lastname@example.org. Please encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.
Reports should include:
You can expect us to:
This policy covers the following applications and systems:
Please use a Follow Up Boss account for which you are the account owner or a user authorized by the account owner to conduct security research.
While researching, we’d like to ask you to refrain from:
If issues reported to our program affect a third-party library, external project, or another vendor, we reserve the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process, and we will not share your name with third parties without your approval.
We will not take legal action or initiate a complaint to law enforcement for security research conducted pursuant to the policy, including good faith, accidental violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms and Conditions, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
As many of our systems and services are interconnected with third-party systems and services, we can only provide this legal commitment with respect to the components we own and control the rights on. If legal action is initiated by a third party against you and you have complied with this policy, Follow Up Boss will take steps to make it known that your actions were conducted in compliance with this policy.
Follow Up Boss is committed to patching vulnerabilities within 90 days or less, and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.
At the same time, we believe that disclosure in absence of a readily available patch tends to increase risk rather than reduce it, and so we ask that you refrain from sharing your report with others while we work on our patch. If you believe there are others that should be informed of your report before the patch is available, please let us know so we can make arrangements. We may want to coordinate an advisory with you to be published after the patch is released, but you are also welcome to self-disclose if you prefer after 90 days.
By default, we prefer to disclose everything, but we will never publish information about you or our communications with you without your permission, except when required by law, and to a third-party affected by the vulnerability as discussed above. In some cases, we may also have some sensitive information that should be redacted, and so please check with us before self-disclosing after the 90 days period.
We may modify the terms of this policy or terminate it at any time. We won’t apply any changes we make to this policy retroactively.
In order to encourage the adoption of vulnerability disclosure programs and promote security best practices across the industry, Follow Up Boss reserves no rights in this policy and so you are free to copy and modify it for your own purposes.
Thank you for helping to keep Follow Up Boss and our users safe!
Published on January 30, 2019