🎉 Latest News! InMoat is now verified by Google after passing an independent security assessment designed with your security and privacy in mind.

Vulnerability Disclosure Program

Overview

InMoat is committed to protecting the security and privacy of our customers. Our Vulnerability Disclosure Program (VDP) is intended to minimize the impact of any security issues, therefore, we hope to work with the researchers within the security community to help identify and fix vulnerabilities in our systems and services. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

Program and Scope

InMoat’s VDP applies to security vulnerabilities discovered in any of InMoat’s software products. We ask that all security researchers submit vulnerability reports only for InMoat software products. We intend to increase our scope as we build capacity and experience with this process.

Researchers who submit a vulnerability report to us will be given full credit on our website once the submission has been accepted and validated by our security team. 

In order to qualify, the vulnerability must exist in the latest public release (including officially released public betas) of the stated products listed. 

The purpose of this program is to fix security vulnerabilities. Therefore, only security vulnerabilities, or bugs that lead to security vulnerabilities, will qualify and be eligible for rewards. For other (product) bugs that do not lead to security flaws, we would greatly appreciate it if you report the bug following the steps listed in our How To Report A Bug documentation.  

Testing Guidelines

When performing security testing, please adhere to the following guidelines:

  • Only test against your own accounts and data (e.g. create test accounts). If you identify a vulnerability that may result in access to other users’ data, please check with us first before testing further. 

  • If you inadvertently access other users’ data in your testing, please let us know, and do not store any such user data. 

  • Do not perform testing that results in denial of service conditions or degradation of our production services.  

  • Do not permanently modify or delete hosted data.

  • Do not intentionally access non-public data any more than it is necessary to demonstrate the vulnerability.

  • Do not share confidential information obtained from InMoat with any third party.

  • Social engineering is out of scope. Do not send phishing emails to, or use other social engineering techniques against anyone, including InMoat’s staff, members, vendors, or partners.

InMoat will not pursue Legal Action against Individuals who: 
  • Engage in testing of systems/research without harming InMoat or its customers.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Adhere to the laws of their location and the location of InMoat. For example, violating laws that would only result in a claim by InMoat (and not a criminal claim) may be acceptable as InMoat is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.

Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Reporting a Vulnerability

We ask that you privately report the vulnerability to InMoat before public disclosure. Please allow InMoat at least 90 days to fix the vulnerability before publicly discussing or blogging about it. If you believe that earlier disclosure is necessary, please let us know so that we can begin a conversation.

To submit a vulnerability report to InMoat’s Security Team, please email us at security@inmoat.com and include information about the vulnerability, as well as detailed steps on how to replicate it. Submissions that include detailed information on how to fix the respective vulnerability are more likely to receive more valuable rewards. 

The validity of a vulnerability will be decided at the sole discretion of InMoat. 

In order to prioritize and triage your vulnerability report, please ensure your submission includes the following criteria:

  • Well-written reports in English will have a higher chance of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool outputs may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.
InMoat’s Response to Vulnerability Reports

Once we receive your vulnerability report, we will ensure to provide you with the following:

  • A timely response to your email (within 2 business days).
  • After triage, we will send an expected timeline and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, InMoat may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.

Rewards

Researchers who submit a vulnerability report to us will be given full credit on our website once the submission has been accepted and validated by our security team. 

If you do not want to be publicly thanked on our website (or elsewhere), please let us know that you want your submission to be confidential in your report email. We will still provide rewards for confidential submissions.

Not all reported issues may qualify for a reward. Rewards are awarded at InMoat’s sole discretion. As we are a completely bootstrapped company, we are unable to afford cash bounties. However, we offer public acknowledgment, as well as other non-cash rewards, such as a free subscription to our service. 

Only the very first report we receive about a given vulnerability will be rewarded.

Versioning

This document Version 1.0 was created on October 24th, 2020. Any updates will be noted below in the version notes.