At Bynder, we are committed to keeping our systems, network and product(s) secure. Despite the measures we take, the presence of vulnerabilities will always be possible. When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take swift action to shore up our security.
Under Bynder’s Responsible Disclosure Policy, you are allowed to search for vulnerabilities, so long as you don’t:
- execute or attempt to execute a Denial of Service (DoS);
- make changes to a system;
- install malware of any kind;
- social engineer our personnel or customers (including phishing);
- scan or run tests in a manner that would degrade the operation of the service or negatively affect our customers in any way;
- physically attack or damage Bynder property, offices or data centers or attempt to do so;
- run tests on third party applications, websites or services that integrate with or link to Bynder;
- scan or attack the Amazon Web Services infrastructure or attempt to do so.
Breaching the above restrictions may result in Bynder launching an investigation and/or taking legal action to the greatest extent of Bynder’s legal obligation and rights or that of our partners and customers.
If you do discover a vulnerability, please contact us as soon as possible by sending an (encrypted) email to [email protected] To prevent information falling into the wrong hands, please use the following public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFoUPrwBEAD+dgsskePAfNZwSurihGobFMg+ZT0hYuIvt71AVysZKt5syP04 my8GGNiDbZ47/qzx0ArVfZ8L4vX3T12eoVeWTvirALOchV6mP33TvVxorHov82Ql HAepHsqqm0b72JF6eS4ppC3q5nlTQ6OfDPhe3tw/Jaan4GODW5z1F4fFcV+0KQ8S SrLg9bSU9CUdFv0qQknMbJBxgJh3PPltROPWRDSXAbodYySMghCBic1Pydmv05lJ Bysff+bXbLdGUgF40MoRJ2oKTr2pu6KRfSfKIUuPSCWEt6mY/gxKGSe3lnvpZ/np oJOWNJHBkMzf7O8mBdCzZrmBngFMxIIj0UXaMkFu6PvlYSPeEpeQNtADUEDOLP0+ X1cSnZBk0rGdLFqh0s/0kACRtHCWE0FrBJsxhGJ/qMHYUtCD4nLKRHFgiBYm+11t TRPU23i3z3Ub79C9P4tsBiFg/jxkQvZIh8c5q5QtosS88cNkgEWcu3Oxia6UQDr+ 3KWxwcr2AJ17dVYPfEivVuu3dW1NEXcg4Zq2eBgCJPLBmJJ/xqB3A0CfU884J38k q/iGURRlT3Iu5I7g5qZcN/hPuf1cVliIdUvrM3eN5Pi+nmyhRUevwESCLIXb/E1V 7tim8tJpUXX3ytaSa9CHPv9Bz3N7ckoL2MFe6S/6vhSC0nopT3o6JCfHNQARAQAB tCVTZWN1cml0eSBCeW5kZXIgPHNlY3VyaXR5QGJ5bmRlci5jb20+iQJUBBMBCgA+ FiEEMyLa0VI2v8RcPJ0ntvyfOblrvm8FAloUPrwCGwMFCQeGH4AFCwkIBwMFFQoJ CAsFFgIDAQACHgECF4AACgkQtvyfOblrvm+a1Q/+MNUOQHkhgebvWJEOBi/neou3 KD+YHom7fHbnMMbFczkuKu5QpnA0833VoWxh1hG9jMRwLBWfZ1+Pe4QQeX2u0W4Y aZGoef+HsGWJOi7/7nneQnsp1YD2aCIVy9LjPNJnd/czQ8h+SKH1vdBopyu+CksX o8uW4NmOyJUoB0t+QOO0xX/5o1vk1bEMW2VtT/JOQYt8mgsh3YRQUpd1QoqAG7cR e1/IXstZ3W3jpfRdEx18+V4VLdaRNbqYR3yj0R4RYWjOXPRCJI8LqyMlV75R9J2K ane+GNwbY/3/43zUtj0GvWAbQtbptgmCeGyKi5vDFGxgzW/zT3MG2NXEG4k6xN5I nb4mgSR9ngF7obesBQrhxSpYDVEqvUukdIbn+kvZTPf6Z0gc/NvGkn+on+4RF/Ek btx+ag1Rp3KYVYR3T1ItgBL4SDTYlUnZP9cXcnT3Oq/3oFdHygQ6BVxeJKhkQBFU GnBkMKeZp4K4AlmR5EgI2ADo8AFdx+J/yCESfzn3Ca5gRj3jUHQULqVaZM7hPgq1 rTH1NA9rAOedjPwWHxI13OV7h0R/f5XTWfRnfe1v52cdxqEhN+JM+gQiAMZ9+kkN 2p1uDtmyEtni36esCr4srQRmHrKeWF3RUOLsntvaX9xziD/8djFA/SPRQUVqI5nc l4kWS2WDM2dBsPkVgRm5Ag0EWhQ+vAEQAKqzraI0Sqtr7S0YqQKrFfmFEJGwon9X PYvkRYbAh28PaKTjv8OYQuOvQYC8GsIJxL+qtTX1M3qEqL0GhmWGpjctBLFZQuaQ 3d4tPC8wy/lpwtrkQzFxBNpJgkSrHf+F+ENvDHErVM91yrtSvivwNjS+AWNRv1Ob WuWptC0r7Urrbmfo2CHhJXIJrTbp7E0xlgBIvV9uIswYdR1WAK1yJj8n9dMkPy+k rEKsApK/clHnqyQ6TSnyLPEMtzpTr3KLyb+wADCkBeqT5Ay7CC7wNhkAO/5oNyd2 zCRuWGvQGUhIDjB51BaexBZKmAwfECw9EXOr1Vy/F4elarSjoqaHDMvfYRYp+wtn /SUiV5JHqbkKbGkD9vnw54bnNFEBFax/Q9KKJnQ9WZF/dbiQApSAsiBGacQE54eR kpwqYwjC16JPIf2/aaMllKTc3TxYtU1e5c27NIyNGRvq5MQBGmASGIzG2C3cTKSs jgFoX/lEotxR7kSyYb5PEP1F1+VD3reapxGvQjfYPtVs5a+U1dXvOIw3DBdbKQft nlY05mpg2McalCppczECPCwziJ0HL3eIYSpnw995OAa30mXd2YZXyNQb6bn/9RL5 u4wkFS6J4/LvmLu03cZyvYpbUquRAghOaRemsK8kw9CBDYMc6byVTtvpjunpJsxs RLh0j/dXMV1HABEBAAGJAjwEGAEKACYWIQQzItrRUja/xFw8nSe2/J85uWu+bwUC WhQ+vAIbDAUJB4YfgAAKCRC2/J85uWu+b8LLEADOFUNdO+kU3bKx370gRY4qgK+9 nhYdBut2YtkHfidJTWDmHQnk6UJVC2zzYm67PxYl/1NjP3OBwBS/yQg1wYxcSZdX Epnt2U2sLW3+DbfmzRFkwxu0TWg7gqYsZQGgFc4ln/H9uCwKNwlVVzNYHORNe2zz w2Yu5Khv4C9GOXry1HHrG3cGdr+w030Q8GWC7kp9S6vSdX8XS/TyExWVB2TDsycV qnpTcHKUGXwIzuuTXhyHbWLTDtEFWt5kksCl5UxJlFjKJBa2DKbkk9tnaCgZnBUI hL5PhDNUUwewOZzvHHnt1S6bvgCOcAknAN6UFj57Kq8LGNyggKJrAB8SO22QIoXW mnNgnIajZvrCHHKXtBLU2FZW80Psy26I3I8ghggpPFazvBe4LMQWXurTv5QWsjFc ZZ+q8GSTnL+7ij3dnYus4iF7LJwb/qEV2vD5UC8nwrQI3RylK0h91zRfwSpGgNdz 6OZb46DsSkgZ+vy2lyPR9QJzoz8HNWxdb+oBl9h3CysNT638ROrwtBbArpw9R6Ri dXjFyOO1RUBPsx2RumL9NuKjrWqaXrpQjVHE96MxS4F17xC2fSGat/XGL355DtdN RiKMIsuQ5Try5zEwotc9A9awVBHNpgvU0Vi2xkhsdMMnBRmc5TM4orTktVTYzyXX uMjvgwRQIcqBtXs58w==
-----END PGP PUBLIC KEY BLOCK-----
What we ask of you:
- Submit your vulnerability report as soon as possible after discovery;
- Do not abuse or exploit discovered vulnerabilities in any way for any purpose;
- Do not share discovered vulnerabilities with any entities or persons other than Bynder and its employees until after Bynder has confirmed the vulnerability has been resolved;
- Provide us with adequate information to enable us to investigate the vulnerability properly. (To be able to investigate properly, we will need to be able to efficiently reproduce your steps.)
- Provide us with information required to contact you (at least telephone number or email address).
What we promise:
- We will respond to your report within 5 business days or receipt, with our evaluation of the report and an expected resolution date.
- We will keep you regularly informed of our progress toward resolving the vulnerability.
- If you have followed the above instructions, we will not take any legal action against you regarding the report.
Rewards and attribution:
- Please do not ask for a reward before sharing the vulnerability, as we need to evaluate your report before responding.
- If you report a vulnerability that is unknown to us, and if you are not from a country where we are prohibited by law from making payments (e.g. due to sanctions), we may decide to offer you a reward based upon our assessment of the criticality of the vulnerability. Any reports received before publication of this Responsible Disclosure Policy on XX August 2017 are ineligible for rewards.
- If agree, we ‘ll publicly attribute the finding to your name in our Hall of Fame.
- For all our acquisitions, in order to give our development and security teams time for internal review and remediation, we will introduce a six-month blackout period. Bugs reported in that period will not qualify for a reward.
Any report submitted in relation to this Responsible Disclosure Policy will be handled with great care with regards to the privacy of the reporter. We will not share your personal information with third parties without your permission, unless we are legally required to do so.
Hall of Fame
Harry M. Gertos
This Responsible Disclosure Policy was last updated on: 24 May 2018.