Vulnerability Disclosure Policy

Global Oversight LLC, a.k.a. MySafeBase, is committed to ensuring the security of users by protecting their information from unwarranted disclosure. We design our products and services with quality, reliability, and privacy in mind. Regardless, vulnerabilities may still be present in our products, services, and systems.

This document describes MySafeBase’s policy for receiving reports related to potential security vulnerabilities in its products and services and sets out our practice regarding informing customers of verified vulnerabilities.

We want security researchers, partners, users, or any other source to feel comfortable reporting vulnerabilities they’ve discovered so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.

Contact

The preferred method of contacting MySafeBase team is by sending email to support@globaloversight.net if you have identified a potential security vulnerability with one of our products or services. Please submit these reports in English and ensure they contain the following information:

  • Date and time of discovery
  • Product or service name
  • URL, browser information including type and version and input required to reproduce the vulnerability
  • Technical description, including what actions were being performed and the result in as much detail as possible
  • Sample code, if possible, provide code that was used in testing to create the vulnerability
  • Reporting party’s contact information
  • Current plan to disclose
  • Risk assessment containing details of the identified threats and/or risks including a risk level for assessment result
  • Software configuration details to computer/device configuration at time of vulnerability
  • Relevant information about connected devices if vulnerability arises during interaction, and details of when a secondary device triggers the vulnerability.

Upon receipt of the report, the appropriate personnel will contact you to follow-up. MySafeBase retains discretion to determine whether to accept a report into the program, such as not accepting vulnerabilities with minimal security impact or low exploitability, or vulnerabilities beyond MySafeBase’s control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the program requirements.

Disclosure Requirements

MySafeBase agrees not to pursue legal action against reporting parties who submit in-scope reports and:

  • Engage in testing/research of systems without harming MySafeBase, its clients, users, employees, or third parties;
  • Do not use or alter any data it might access during its discovery;
  • Do not conduct social engineering, spam, or phishing attacks.
  • Do not test the physical security of any property of MySafeBase or third parties.
  • Do not conduct denial-of-service or resource-exhaustion attacks.
  • Comply with applicable criminal laws.
  • Adhere to other applicable laws (other than those that would result only in claims by MySafeBase).
  • The submitting party(s) who submits a report to MySafeBase agrees not to disclose to a third-party any information related to that report, the vulnerability reported, nor the fact that a vulnerability has been reported to MySafeBase. This agreement regarding disclosure applies regardless of whether MySafeBase had prior knowledge of the information.

You agree that MySafeBase may disclose the information in a report you submit. MySafeBase will consider any request from a reporting party to make a disclosure, but reserves the right to deny such requests.

By submitting a vulnerability, the reporting party acknowledges that, there is no expectation of payment for these services and waives any future payment claims against MySafeBase related to the submission.

MySafeBase appreciates the efforts made by the reporting party in identifying the vulnerability. We thank you for going out of your way to improve the security of our products and services and the Internet community as a whole.

All aspects of this process are subject to change without notice, as well as to case-by exceptions. No particular level of response is guaranteed for any specific issue or class of issues.