Responsible Disclosure Policy

Rules

Any vulnerabilities submitted through this policy must adhere to the following rules:

1. Submissions must adhere to the scope mentioned in this policy.
2. Any information about the vulnerability must remain confidential between Rocketlane and yourself indefinitely.
3. The vulnerability cannot be disclosed in any medium or form.
4. The vulnerability cannot be disclosed in any medium or form.
5. Do not perform an attack that would compromise the integrity of Rocketlane's services.
   
6. DDOS for example is NOT allowed.
7. You waive claims of any nature arising out of a disclosure accepted by Rocketlane.

Requests for Compensation

We do not provide monetary compensation for any vulnerability reported. Requesting compensation will make you non compliant with this policy.Rocketlane may however choose to send swag at its own discretion.

Scope

In Scope:

The following targets are considered in scope:

• Rocketlane's website located at https://rocketlane.com
• Rocketlane's web application located at https://{subdomain}.rocketlane.com

Out of scope:

• Social engineering
• DDOS
• Automation scripts and tools
• Any spelling mistakes
• Any UI/UX bugs
  
• Issues that do not affect the latest version of modern browsers
• General best practice concerns
• Same issue under multiple subdomains
• Self XSS
• Open Redirect without proven security impact
• Brute Force attacks
• Man-in-the-Middle attack
• Clickjacking without proven security impact
• Disclosed Google API keys
  
• Verbose messages/errors without disclosing any sensitive information
  
• CORS misconfiguration on non-sensitive endpoints
  
• Missing cookie flags
  
• Missing security headers
  
• Tab-nabbing
  
• Host Header Injection
  
• Cross-domain referrer leakage
  
• Email spoofing, SPF, DMARC or DKIM
  
• Email bombing
  
• Version disclosure
  
• Issues that require unlikely user interaction
  
• Broken link hijacking (e.g. social media links)
  
• Weak SSL/TLS configurations reports
  
• Disclosing API keys without any security impact
  
• Physical attacks - Attacks that require physical access to a victim's device
  
• Recently disclosed 0-day vulnerabilities in third-party products
  
• Reports without proof of exploitation
  
• Stripping EXIF data - We choose not to strip EXIF data since customers need them. This is by design.
  
• Known issues
  

How to report

All vulnerabilities must be reported to security@rocketlane.com with the following details:

Details:
Full Name:
Mobile Number:
LinkedIn Profile:
Bug Details:
Name of the Vulnerability:
Description of Vulnerability:
Proof of concept:
Detailed steps to reproduce:

Complying with this policy

As long as you follow the instructions laid out in this policy, Rocketlane will commit to the following:

• We will not pursue civil or criminal legal action against you or initiate a complaint to law enforcement for accidental, good faith violations of this policy considering there is no damage done to the party concerned. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act.
• We will work with you to understand the vulnerability and fix it
• We will keep you informed of the timeline to fix the vulnerability, post verifying its authenticity

Public disclosure

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
‍
THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO THE PUBLIC, FAILING WHICH THEY SHALL BE LIABLE FOR LEGAL PENALTIES.