Vulnerability Reporting Policy

Vulnerability Reporting Policy

SetSail Technologies
November 2020


At SetSail, we understand that customers are trusting us with their sensitive data and security is essential. We recognize the valuable role that external security researchers can play in keeping our information safe. And, we encourage responsible reporting of vulnerabilities that researchers may find in our site or applications. We will work with security researchers to verify and address any potential vulnerabilities that are reported to us.

This policy outlines the terms and mechanism for people to report vulnerabilities.

How to Report a Potential Security Vulnerability

  1. Privately share details of the suspected vulnerability with SetSail by sending an email to [email protected].
  2. Provide full details of the suspected vulnerability so the SetSail security team may validate and reproduce the issue

Our Commitment

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the SetSail security team and associated development organizations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report
  • Provide an estimated time frame for addressing the vulnerability report
  • Notify you when the vulnerability has been fixed


The following types of vulnerabilities are not considered in scope

  • Reports of non-exploitable vulnerabilities
  • Violation of best practices (i.e. missing security headers)
  • SSL/TLS configuration issues (i.e., support for “weak” cipher suites)
  • Fingerprinting and banner disclosure on common or public services
  • Self-cross-site scripting (XSS)
  • Internal IP disclosure
  • Cross-site request forgery (CSRF)
  • Error-messages with non-sensitive data

Prohibited Conduct

  • Performing actions that may negatively affect SetSail or its users (e.g. Spam, Brute Force, Denial of Service…)
  • Accessing, or attempting to access, data or information that does not belong to you
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
  • Conducting any kind of physical or electronic attack on SetSail personnel, property or data centers
  • Social engineering any SetSail service desk, employee or contractor
  • Conduct vulnerability testing of participating services using anything other than test accounts
  • Violating any laws or breaching any agreements in order to discover vulnerabilities