FLIP VULNERABILITY DISCLOSURE PROGRAM
INTRODUCTION
PT Fliptech Lentera Inspirasi Pertiwi (“Flip”) believes that protecting customers is critically important to us. Flip commits to ensuring the security of our customers’ data and the reliability of our products and/or services. Therefore, Flip welcomes any independent security researchers to discover any vulnerabilities that Flip’s electronic system or application may have. This Flip Vulnerability Disclosure Program is intended to give independent security researchers the terms and conditions for conducting vulnerability discovery activities directed at Flip’s electronic systems or applications and submitting the discovered vulnerabilities to Flip. We require that all submissions remain confidential and are not disclosed to any other parties.
SAFE HARBOR
Any activities conducted in a manner consistent with this program will be considered authorized conducts and we will not initiate any legal action against you. If a legal action is initiated by a third party against you in connection with activities conducted under this program, we will make it known that your actions were conducted in compliance with this program. Flip reserves any legal rights available (both through civil and criminal proceedings) in the event of non-compliance with this program.
RESTRICTED ACTIONS
The following are unauthorized actions that you shall not perform. Performing any of the following actions will constitute a violation to this program:
- Do not brute force credentials or guess credentials to gain access to systems.
- Do not perform Denial of Service (DoS) or other actions that degrade, damage, or interrupt Flip’s applications, products and/or services.
- Do not exploit any vulnerabilities found.
- Do not publicly disclose a vulnerability without our review and explicit prior written consent.
- Do not engage in any form of social engineering, spamming, phishing of Flip’s employees, customers, or partners, partners, vendors or suppliers.
- Do not engage or target any Flip’s employees, customers, partners, vendors or suppliers during your testing.
- Do not attempt to extract, download, or otherwise exfiltrate data that may have Personal Identifiable Information (PII) or other sensitive data other than your own.
- Do not change the password of any account that is not yours or that you do not have explicit permission to do so. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
- Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
- Do not interact with account(s) you do not own.
- Do not leak/modify/destroy/misuse/abuse any user data or system files.
REPORTING
The accepted method for contacting Flip regarding security vulnerabilities is by using the form on the submissions page. Flip highly appreciates the efforts made by you in identifying the vulnerability or error. Reporting such vulnerabilities and errors will contribute to the improvement of the security and reliability of Flip’s products and/or services. By submitting a report, you expressly agree to the following terms:
- You assign all use and ownership rights of the report to Flip.
- Your actions and interactions with Flip leading up to the report are not in violation of any applicable laws.
- You have no intention of harming Flip, its customers, employees, partners, vendors, or suppliers.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our electronic systems, products and/or services.
- You agree to not disclose any information about the report and vulnerability described within, and the fact that you submitted a report to Flip.
- You agree that the report is made out of goodwill, and is done without any expectations of rewards, monetary or otherwise, from Flip.
- You agree to not exploit a security issue that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.).
- You agree to not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
- If you want to publish the vulnerability you are reporting, you agree to give Flip reasonable time to fix it and you can disclose it to the public after you receive an explicit prior written approval from Flip and at least 3 (three) months after the discovered vulnerability is fixed.
- Flip reserves the right to decide in its sole discretion whether the submitted reports are allowed to be published to the public or not.
- Reports with ‘critical’ severity are not allowed to be published by researchers without prior explicit written consent from Flip.
- If you publish reports without Flip’s explicit prior written consent (for any reasons, e.g. education, popularity, etc), Flip has the rights to initiate a lawsuit or take any legal action against you.
CONTACT INFORMATION
Supplying your contact information with your report is entirely voluntary and at your discretion. This does not guarantee that you will receive any responses from Flip regarding your report. Flip may contact you regarding the contents of the report at its own sole discretion.