Responsible Disclosure Policy

SeedFi is committed to ensuring the security of its customers by protecting their information from unwanted disclosure. This Responsible Disclosure Policy (“Policy”) is intended to provide independent researchers with defined guidelines for identifying potential vulnerabilities and establishes which SeedFi systems are in scope.

If you believe you have discovered a security or privacy vulnerability in a SeedFi product or service, please report it to us by following the process set forth in this Policy.

If you have questions or concerns about SeedFi’s Privacy Policy or data privacy, you can ask us about privacy.

How to report a security or privacy vulnerability

If you believe you have discovered a security or privacy vulnerability that affects SeedFi products, services, code, or systems, please report it to us. We welcome reports from everyone, including security researchers, developers, and customers.

To report a security or privacy vulnerability, please send an email to security@seedfi.com that includes:

  • The specific product, service, code, or system(s) which you believe are affected
  • A description of the behavior you observed as well as the behavior that you expected
  • A numbered list of steps required to reproduce the issue. If the steps may be hard to follow, a video demonstration would be helpful

Please use SeedFi’s Security@SeedFi.com PGP key to encrypt sensitive information that you send by email.

You'll receive a reply from SeedFi to acknowledge that we received your report, and we’ll contact you if we need more information.

How SeedFi handles these reports

For the protection of our customers, SeedFi doesn't disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.

SeedFi may credit researchers who have reported security issues with our products and services. In rare cases, SeedFi may pay rewards for sharing critical security issues.

Guidelines

SeedFi will not recommend or pursue legal action against anyone for security research activities that SeedFi concludes represents a good faith effort to follow this Policy. SeedFi deems such activity to be authorized.

Security researchers may utilize these guidelines below to help clarify the actions they may take and may not take in researching for vulnerabilities. Under this Policy, “security research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, data or privacy breaches, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or pivot to other systems.
  • Provide us with the time necessary to resolve the issue before you disclose it publicly. SeedFi will acknowledge receipt within five business days. SeedFi will resolve the issue within a reasonable amount of time, which will depend on the complexity of the issue.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (e.g., Personally Identifiable Information (PII), financial information, proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. A failure to adhere to this disclosure rule may result in Legal action. Security researchers shall not:

  • Engage in any activity that violates federal or state laws or regulations, or applicable international law.
  • Engage in physical testing of facilities or resources (e.g., office access, open doors, tailgating)
  • Engage in social engineering (e.g., “vishing”)
  • Send unsolicited electronic mail to SeedFi users (e.g., “phishing” messages)
  • Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks, or other tests that impair access to or damage a system or data
  • Introduce malicious software
  • Use a SeedFi system to launch redirect or amplification attacks against other systems
  • Test in a manner which could degrade the operation of SeedFi systems; or intentionally impair, disrupt, or disable SeedFi systems
  • Test third-party applications, websites, or services that integrate with, or link to or from, SeedFi systems
  • Delete, alter, share, retain, or destroy SeedFi data (to include sensitive data and nonpublic information), or render any SeedFi data exposed by the vulnerability inaccessible
  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on SeedFi systems, or “pivot” to other SeedFi systems
  • Disclose any type of sensitive information (technical, financial, operational, regulatory, etc.) or any PII exposed or made accessible by the vulnerability to a third party
Out-of-Scope Product, Services, Code, and Systems
Web:
  • Enumerating and/or Brute Forcing Login and/or Registration.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Issues that are a result of pivoting - the only proof of initial foothold is necessary.
  • Spam (including issues related to SPF/DKIM/DMARC).
  • Fingerprinting/banner disclosure on common/public services.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Reports About Weak Password Policy.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Lack of Captcha/reCaptcha.
  • Lack of 2-factor authentication.
  • HTTPS Mixed Content Scripts.
  • SSL/TLS scan reports (this means output from sites such as SSL Labs).
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • XMLRPC related brute-force/enumeration/DDoS Attacks
iOS/Android:
  • Enumerating and/or Brute Forcing Login and/or Registration.
  • Attacks requiring physical access to a user's device.
  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries.
  • Path disclosure in the binary.
  • Lack of jailbreak detection.
  • Lack of binary protection (anti-debugging) controls.
  • Lack of root detection.
  • Lack of obfuscation
  • Lack of binary protection
  • OAuth "app secret" hard-coded/recoverable in apk.
  • Crashes due to malformed URL Schemes.
  • Snapshot/Pasteboard leakage.
  • Runtime hacking exploits (exploits only possible in a jailbroken environment).
  • User data stored unencrypted on the file system on rooted devices.
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.
  • Bypass certificate pinning on rooted devices.
  • Sensitive information retained as plaintext in the device’s memory.
  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened.
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope).
  • Vulnerabilities found in a SeedFi application that was not acquired from SeedFi’s official Play store account.
  • OAuth "app secret" hard-coded/recoverable in apk.
  • Sensitive data retrieved as plaintext from disk on rooted devices.
  • Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.

If you are not sure whether a product, service, code, system, or other feature is in scope or if you would like to get authorization to work on an out-of-scope item, contact us at security@seedfi.com to obtain authorization before you begin your research.

While SeedFi does not intend to take action against persons making good faith efforts to report potential vulnerabilities lawfully and in compliance with this Policy, we are not able to make such a representation on behalf of any third party. To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any party other than SeedFi, including the personal data of SeedFi's customers and employees, such entity or person may independently determine whether to pursue legal action or remedies related to such activities.

Last updated: August, 2022
NameLinkDate
Namewww.seedfi.com2022 Q3