Ground Rules #

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:

• Play by the rules. This includes following this policy any other relevant agreements.
• Do not violate any vulnerability you’ve discovered promptly.
• Avoid violating the privacy of others, disrupte our systems, destroying data, and/or harming the user experience.
• Use only the official channels to discuss vulnerability information with us.
• Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy.
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• You should only interact with test accounts you own or with explicit permission from the account holder.
• Do not engage in extortion.