Responsible Disclosure Policy
Dated: 16 January 2024
EQL's approach to Responsible Disclosure
The security of our systems and the data we hold is a critical priority for EQL. We make every effort to keep our systems secure. Despite our efforts, there may still be vulnerabilities.
This policy sets out the ways in which you (or anyone!) can share your findings with us in good faith. If you have found a potential vulnerability in one of our systems, services or products, please tell us as quickly as possible.
We will not compensate you for finding potential or confirmed vulnerabilities, but we will be really really appreciative.
If you have not exploited the vulnerability or prematurely disclosed its possible existence, and otherwise comply with the requirements of this Policy, EQL will not take legal action against you. Similarly, if legal action is initiated by a third party against you and you have complied with this Policy, we will take steps to make it known that your actions were conducted in compliance with this Policy.
What this policy covers
This policy covers:
- Any product or service operated by EQL to which you have lawful access.
This policy does not cover:
- clickjacking;
- social engineering or phishing;
- weak or insecure SSL ciphers and certificates;
- denial of service (DoS or DDoS) attacks;
- posting, transmitting, uploading, linking to, or sending any malware;
- physical attacks;
- attempts to modify or destroy data;
- attempts to extract or exfiltrate sensitive data.
This policy does not authorise individuals or groups to undertake hacking or penetration testing against EQL systems.
This policy does not cover any other unlawful action contrary to legally enforceable terms and conditions for using a product or service.
How to report a vulnerability
To report a vulnerability, email vulnerabilitydisclosure@eql.com, including enough detail so we can reproduce your steps.
If you report a vulnerability under this policy, you must keep it confidential, and abide by the following guidelines:
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept and cease testing and submit a report immediately if you encounter any personally identifiable data/information during testing;
- Only make your research public once we have finished investigating and fixed or mitigated the vulnerability
- Do not interact with our Platform or systems in breach of any applicable terms, unless we provide written approval for you to do so;
- Do not engage in extortion or any other unlawful behaviour.
EQL may take legal action for any breaches of these guidelines.
What happens next
If we investigate and verify that your disclosure relates to a material vulnerability, we will take all reasonable actions to:
- respond to your report within five business days;
- keep you informed of our progress;
- agree upon a date for public disclosure;
- with your consent, credit you as the person who discovered the vulnerability.
People who have disclosed vulnerabilities to us
Below are disclosed vulnerabilities, a name or alias is included if consent has been received from the person who has identified it:
- None were recorded at this time.