Security

Program Information

At UpGuard, we take the security of our systems seriously and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and UpGuard until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Scope

Out of scope
Any services hosted by 3rd party providers and services are excluded from scope. These services include:

  • XSS vulnerabilities limited in scope to the instigators own account
  • Our blog and marketing pages, most of which exist under the "www" subdomain
  • Our social media presences
  • Third-party products / UpGuard integrations created and maintained by a third party

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to receive:

  • Personally identifiable information (PII)
  • Credit card holder data

How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@upguard.com. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle and a link for recognition in our Hall of Fame.

If you’d like to encrypt the information, please use our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----


mQINBFXDnScBEACxDz1QQAoC4l+dJCZFcUvSmmZbp1Jcjd2/bRL2GL9zjX+M64tQ
2ET/+p20+oscHgwZUcchCD5Qc+quunUWpaFEeVIH3GfLAkIdpy4j9E1EOvQtxIVK
481bn/PNselwshU0jzCBp/41hHIEPtRyFDvW5/v8/asdpxDmXVsldbDASJiLiHKH
xQ+9Ynah4fuVLRkY8E/eHmGkxkdqwHefIvTGdK2Vg9q+3UK11w9Qc8wG55LskGPo
skcTWu1iMJYi7RvIWhX6sRRDMh03vxVUZeFj8poQTobS+iElda8Srh6bDu9gGr9O
+gVi8oPHDBP2d+W0tsq69DKRGnmgSii8cCaW1z05OslNHK4olX9d9EtZ9Z+AqBa5
TS4CAwp/420DmWjvNxMAfqqX2kUnUClw18IkYcjxQ3Bikqp/Wzr5ddEFKye6DFsv
QHq3QDexMIMLBC1S/q7xYcGz1XUyFj/cQJq7dq1Ss6yBl8EiqSJPZHEtTyXskuCk
/O4M+P36AOZtQdHQzFcV2tv3CFPv8dCYZVIeBwWYVJ5zzMob/zx5W3Ktqlm/YtvJ
fRtM6q7m8LBQ0edcjp2RNJLYwE7Kd3ylXdI6If11/nuxKXR0gE5istvThPQ8QfcE
4Lhc2TRCZfHB3Px0WGg+ChAluvmvbfrt+zfWTIps/DpYOX2TR4+Gyt3tQwARAQAB
tCdTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzY3JpcHRyb2NrLmNvbT6JAj8EEwEI
ACkFAlXDnScCGwMFCQeGH4AHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRB4
EYeOgXtOR5v8D/469oTrVPgg675j9+tB7mRi0PyEEzbaqyDFlqPt09DCJDS6EYhT
iUNrJygjiqXqv8MaaD14DXFRz2E/2hr8iJZDPBCsS2L54eONdhSWlW1d7/Li9lkX
EfJT+vuJva1HWwHHQiQJ6rjS7rtwy61yjqwTZRXparOaBBQ3MBlPEM75iXFVrFvf
mcFWSjYlBV11sa1daOOMp5pJPrJ1unNnWIxCYRvKHgk24BKY1xIQ6RdTPWgDqDvK
i7FkmokI2xei1SK81kZjo2YyQnyFd57HmJnS0xi4RBaiee+DWROxHu0zp1Ir5Oe1
RTMM6av8VjYvVrHW/ocrh4tN5zWs7D7n8LX4crBx0JC6xNZxMSJ5tP0eVGTgTVTY
1KdPDNbUerzHpBXuM1g6+SDo7Nizr9OSjPtd4vIsMB18DWl2AxFQIdkeoIMDEq8s
CJBPhkpMD47LjPdBGoW0i7kuz+kuLkfuue40XaxnirBPu8/TEzV6DCvFOhj3Aa29
pJzDXKIw3SKLGNOriSDt8wTX8dmKWxnU4cDtjKm5JadL/ahd1hVXNscCmWIOcyXs
OfZyb9ovQyObt3W6lQNVp5UhGujloltlhCEomZO22R32RcwCrFv1wX3YSB0Pzt+p
jk55nbreKlNr6UQaN+pPXYv37OJhIOSgELtg3t6/1WlhfUDZ7znpfzGNObkCDQRV
w50nARAA7Jpep3utNJZbUlsh4zDpp8r1qb2txo6mLpp4GFcYyCkwACDADCqQeppw
jGLlwIPM0X0dQGQwFjrsVEbL5bA+YExVLBZ2ez3UoL+PvkSPjbevrQfhdaYcNNjP
vR2kTCmdYv9MraZGOtSpo/H53FJEVYEPFu+WDs9h9Rkjnuii2d2CWH+ad593e7C5
YtfAk8XAEhR/rx4otMu1hvREM9bN22JWniTgr6mVZ11BLclHvucTgpIBykVFtDvo
87ne+5LgY+5ON5nLIPS1OUIWm17poqJ19e9P0agA7/IFlZi/UBg8z5BmV4vaJmo0
7uSkExCHMP/3oa5U7bDyZBGyJb43Z2bVaurywY+TTXUpxU4CLwQNF/zv1NNe6X+X
gpzlIR44Od0YrCU7zmTmUORz/WCV6WgCbUgEncO/kpmIA+1+RpqcM97Bv+pZuAEe
I4BMm6we5/u6hU+5FF2BDv+KM0otr6TAO5efDd2YTgJubAf0D8RAvES9N8bWrZpq
gV+cdA+QqgnJl/sE1fqjI13zx/WnuScT4DSmGTs45pgDtSEiFrr5bdG7Pm/Q6GiQ
/4D+lUKZU5Oty3bja9ayqfNLg2jJaBoXtxv9v/OrKR9XlN0BT5Hba2qAxsrYGruq
2bIPk86iozw/VpvjUx9Ra4uUHUW+WzozKI35Llu1kqK5STIKsysAEQEAAYkCJQQY
AQgADwUCVcOdJwIbDAUJB4YfgAAKCRB4EYeOgXtOR75bEACKfSY+zL8ABUCoKA6j
K/2j6CfEbDOxNMpphjWbifiNSw50neawwYBvoCCSJXqertQ+nRdFDvlz3SLvEoH2
alZjMtmAeeCGas8SP3Fvcr77DlZQ2PbSvRoWAT8odD3rCZblOQ47zUY3qf9/+5RU
hequKqSZZmuTAxMR2IfZIYNhqYf6rVjCB9E2gGgo4f7YJY7BV0Cu6kc1rm0P4YAq
czBtU/4WXt/hCbRT4hpmYmDU7bQerbYndy/xQwpiB7AptCZ9IIdRnx7a+XojJh3V
yuWbnrmmQGuVONuqYsQZmYx2GL05z5p54XqXK6jEmJnUPKmrfNnBV4oAp6ZlgOOe
mBQDcBVu2ASEDcyPCJIkv3UpBsP6BttC9sBff5XwM2M9UmzmOKJ3a4e7HnQ1/agQ
5MrREUvKcGIBcTHQ/q7WecNXa5MY9Q0uQeiQkKVlAQ5J6QNtU/ok9TxqrPqOOstZ
Xe9Qdl+R0colZG6ADxLuzUCqzezX/I7jK9ADM40EMqw+Xzl1tY67c8NoMMwOysv4
bEMK+LjEvM5RuEJYM0u05OfM29omnW3TujAN7jvGLeP5UmhuA4MdeTzPxFZP8WNV
cFjlJUglM7T7vmjvhZF/1GPIgRojNOdHCVPphj6YXxGd0brZpqrRh3UsBHHt4AWx
LY5FeBQPRnu2YiIWPuGW0wEomQ==
=xMNp
-----END PGP PUBLIC KEY BLOCK-----
UpGuard Customers