Responsible Disclosure Policy

The security of users’ data is always our top priority. If you have discovered security vulnerability anywhere in our services, we greatly appreciate your cooperation in disclosing it to us in a responsible manner, following the guidelines set out in this Policy.

We commit to acknowledge, validate, and fix vulnerabilities in the timeliest manner possible. We will not take legal action against or suspend access to our services for any party that has responsibly disclosed vulnerabilities discovered.

We would like to give proper credit to the people who help us improve our services and protect the Metric International’s community. If you discover a valid significant vulnerability and report it in accordance with this Policy, we will add your name to our Honor Roll. If you wish to keep your disclosure confidential, just let us know and we would never reveal your identity. In case the same vulnerability is reported by several parties before it is fixed, the acknowledgment will go to the first one to report the issue.

Rules

  • If you believe you have found a vulnerability, do not share details about it with any third parties or the general public before it has been fixed;
  • You can only conduct testing on accounts that you own or have permission from the owner to test on;
  • Do not try to gain control of another user’s account or data;
  • SPAM and DDoS attacks are never permitted;
  • Do not use automated tools to find vulnerabilities;
  • Automated/manual password guessing (also known as “bruteforce attack”) against login forms is not permitted;
  • Never use non-technical methods such as phishing and/or social engineering against employees or customers of Metric International;
  • Physical attacks against equipment, infrastructure, offices, and/or employees of Metric International and/or our partners are strictly forbidden.

How to report

Send us an e-mail at support@metric.international with the details of the vulnerability you have discovered. Please make sure to include the following:

  • As much detail as possible about the nature of the vulnerability so as to allow us to reproduce your steps;
  • Your e-mail address;
  • Name and a link to your Twitter/Facebook profile as you would like them to appear on this page.