Disclosures

Last Updated 14/11/2024

At Eltropy, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you believe you have identified a potential security vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

By submitting reports or otherwise participating in this program, you agree that you have read and will follow the terms and conditions of this Responsible Disclosure Program.

Responsible Disclosure Program Guidelines

Violation of any of these rules can result in ineligibility for a reward and/or removal from the program. 

  1. Do not engage in any activity that can potentially or actually cause harm to Eltropy, our partners, customers or our employees.
  2. E-mail your findings to disclosures@eltropy.com.
  3. Do not store, share, compromise or destroy Eltropy or the data of Eltropy’s customers. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Eltropy. This step protects any potentially vulnerable data, and you.
  4. Do not reveal the problem to others until it has been resolved.
  5. Do not use attacks on physical security, social engineering, distributed denial of service, spam, third-party applications or any other systems that may impact Eltropy’s services.
  6. Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system along with a detailed write up will be sufficient, add as much detail as possible otherwise the report may not be evaluated.

Our promise:

If we determine that the issue you reported was legitimate, we will respond to your report within 15 business days with our evaluation of the report and an expected resolution date.

If you have followed the guidelines above and not otherwise violated the terms and conditions herein, we will not take any legal action against you in regard to the report.

We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.

As a token of our gratitude for your assistance, we may offer a reward for reporting a security problem that was not yet known to us. You will be eligible for a reward only if you are the first person to disclose an unknown issue. The severity of the finding and the quality of the report will determine the reward to be issued. Reports in third party software are not eligible for a reward.

Out of Scope Vulnerabilities

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. 

Out of Scope vulnerabilities include:

  • Physical Testing
  • Social Engineering
  • Phishing
  • Denial of Service Attacks
  • Resource Exhaustion Attacks
  • Out of Scope Systems

Certain infrastructure is considered out of scope for our Responsible Disclosure Program. 

Out of Scope Systems include:

eltropy.com

Program Terms and Conditions:

In connection with your participation in this program, you agree to comply with all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.

Eltropy reserves the right to change or modify the terms of this program at any time. 

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People’s Republic and Luhansk People’s Republic) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate in the Responsible Disclosure Program depending upon your local law.

Eltropy does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of Eltropy users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to Eltropy in order to extract and publicly disclose data belonging to Eltropy.

Eltropy employees (including former employees that separated from Eltropy within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive rewards of any kind under this program.

This is not a competition, but rather a discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Scroll to Top

Let's Talk