Responsible Disclosure Policy
Thinking Machines is a strong advocate of information security and data privacy. If you are a security researcher and have discovered a security vulnerability in one of our services or resources, we appreciate your help in disclosing it to us in a responsible manner. We will validate and fix vulnerabilities in accordance with our policies.
We treat each report we receive with the utmost seriousness and recognize the importance of privacy, security, and community outreach. Thinking Machines may reach out to you after conducting an internal investigation. No response is guaranteed, especially for any minor/inconsequential issues reported.
We agree not to pursue legal action against individuals or companies who submit vulnerability reports through our requested channel and who comply with the requirements of this policy unless we are compelled to do so by a regulatory authority, other third parties, or applicable laws and regulations.
How to Disclose
- Do not submit findings that require social engineering or man-in-the-middle to exploit (e.g. clickjacking).
- Do not utilize an exploit to view data without authorization, or compromise its confidentiality or availability.
- Do not engage or perform any attacks that could harm the availability, integrity, or confidentiality of our services and resources.
- Do not use your findings to phish, spam, social engineer, or otherwise defraud any customers or Thinking Machines employees during the course of testing to gain more access.
- Do not perform denial of service (DoS) attacks against any Thinking Machines resource to prove an impact for a suspected security issue.
- Do not engage in acts of intimidation or extortion.
- When in doubt, please email [email protected] with “Responsible Disclosure” in the subject to discuss.
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Please fill out and submit this form for our review.
What You Should Include in Your Report
- How you found the vulnerability
- Criticality of the finding
- The potential impact
- Any known options for remediation
- A description of the type of issue (e.g. Remote Code Execution, Cross-Site Scripting)
- Potential abuse cases
- Sample code (i.e. proof of concept) and/or tools used to generate an exploit payload
- Contact information for the finder of the issue (e.g. email, phone number)
- Any information or systems you may have accidentally accessed without permission
Do not publicly announce the vulnerability. Get in touch with us and give us the time to investigate the issue. The safety of our customers’ information and assets is our top priority. Therefore, we encourage anyone who discovered a vulnerability in our systems to act instantly and help us improve and strengthen the safety of our sites and systems.
Do not disclose confidential information, including details of your submission, without prior and explicit consent from Thinking Machines.
If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Thinking Machines shall:
- Acknowledge receipt of your vulnerability report
- Work with you to understand and validate the issue
- Address the risk as deemed appropriate by the Thinking Machines Security Team
- Work together to prevent exploitation of any confirmed vulnerabilities
We may reward you for your investigation. However, we are not obliged to do so. Therefore, you are not automatically entitled to a payment. The form of this reward is not fixed in advance and will be determined by us on a case-by-case basis. Whether we give a reward and the form of the reward depends on the diligence of your investigation, the quality of the report, and the severity of the finding.
Should we feel that your report warrants public recognition, you may be requested to provide a moniker for inclusion in our Responsible Disclosure Hall of Fame