APPLE CLASSIFIEDS RESPONSIBLE DISCLOSURE
Commitment to Security
At Apple Classifieds we are committed to maintaining the security of our systems and data. We believe that good security is key business, to maintaining the trust of our customers, users, visitors, merchants and employees. As such, we strive to continuously improve our security to ensure that we are prepared to meet the challenges posed by an ever-evolving threat landscape.
We value your input. When properly notified of a security issue we are committed to working with you to understand and remediate verified problems. If you believe you find an issue on our site, we encourage you to report it to us in a private and responsible way. In order to encourage this, we have established a reward program for verifiable security issues reported to us through the proper channel.
What Vulnerabilities Qualify?
Any issue that potentially affects the confidentiality, availability, or integrity of our users and customer’s data will be considered. Some examples of those types of issues include:
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• SQL/Code Injection
• Issues identified with our authentication or session management mechanisms
We also have a number of issues for which we will not consider – and which include anything that reports an act that is abusive or in bad faith. These include:
• Bugs identified via off the shelf vulnerability or security scanners including open source / free / or commercial tools.
• Bugs that we are already fixing or that someone else has previously reported
• Infrastructure attacks, including brute force or denial of service
• Tools that generate significant amount of traffic volume or any activity deemed to be disruptive to other users
• Attacks against other user accounts(target your own account only)
• Underspecified reports where the information provided is insufficient to reproduce the vulnerability
• Vulnerabilities on sites that are not owned or operated by Apple Classifieds
• Functionality bugs which do not compromise the security of our users’ accounts or personal information
• Bugs that have been disclosed publicly or to third parties (brokers) by you or others
• Testing a suspected vulnerability in a way that violates any law or compromises data that is not your own
Reporting Suspected Vulnerabilities
If you believe that you have found vulnerability, please report it to firstname.lastname@example.org. Our security team will interact with you directly from there.
Please note that whether to award commissions for identified issues will vary and remain at all times at apple Classifieds’s discretion. If multiple vulnerabilities are reported or are closely related, we may choose to only award a single. We may choose not to award when we launch new products for a certain time, or otherwise are actively in a development or upkeep cycle. We may also require documentation for tax reporting purposes before we are able to pay any commissions and we are unable to award to individuals or in situations where to do so would violate a sanction list maintained by the U.S or Canada Office of Foreign Assets Control (“OFAC”) or conflict with the letter or spirit of other applicable State/Province, Federal or Territorial law, rule or regulation.
Any of the above, Apple classifieds reserves the right to cancel or modify this program at any time and without previous notice.