Introduction
Gett welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
Whilst we appreciate you spending time and effort researching the vulnerabilities, we do not usually offer monetary rewards for vulnerability disclosures.
Our Commitments
When working with us, according to this policy, you can expect us to:
- Respond to your report promptly, and work with you to understand and validate your report;
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission;
- Strive to keep you informed about the progress of a vulnerability as it is processed; and
- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
Our Expectations
We will not initiate any legal action against you provided that you:
- Comply with all applicable laws at all times;
- Avoid the use of automated tools;
- Only verify a vulnerability against your own account;
- Do not interact with any account that you do not own;
- Do not access or attempt to access data that does not belong to you;
- Do not exploit a security issue that you discover for any reason;
- Do not perform actions that may negatively impact Gett systems or our users;
- Do not reveal the problem to others until it has been resolved; and
- Do not use attacks on physical security, social engineering or spam.
Reporting
If you believe you have found a security vulnerability, please email your findings to disclosure@gett.com
In your report please include details of:
- Where the vulnerability occurs, for example the URL, IP, or which app and the version number;
- A brief description of the vulnerability;
- Steps to help us reproduce the vulnerability. This should be a non destructive proof of concept; and
- A full CVSS calculation for the vulnerability.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact disclosure@gett.com before going any further.
Outside of Our Concern
Gett does not have a formal bug bounty programme. However, there are several bug classes which we are not concerned with receiving reports about, these include:
- URL redirection. Unless you can provide this creates a significant risk, we tend to believe open redirects are working as designed.
- Login/Logout cross-site request forgery. Sometimes called self CSRF.
- Version disclosure. This is information disclosure and by itself does not expose our services to attack and therefore not a bug.
- Email SPF and DKIM issues. Whether they are invalid or missing.
- Missing security headers which do not lead directly to a vulnerability.
- Reports of insecure TLS ciphers (unless you can provide a demonstrable exploit and not just a report from a scanner).
- Attacks that require an attacker’s app to have the permission to overlay on top of our app (e.g., tapjacking).
Please check this page regularly as we may update this policy from time to time, which becomes effective upon posting.