Upside Vulnerability Disclosure Policy

Last updated: June 1, 2023

At Upside, we take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 3 business days of submission);
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission

Scope

  • upside.com
  • upside-services.com
  • Latest version of Upside iOS App
  • Latest version of Upside Android App
  • AWS infrastructure and services in use by Upside (eg: S3 buckets)

Out of scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

  • Social logins like Facebook, Google etc.
  • appsflyer.com
  • Mixpanel.com
  • Branch.io
  • Iterable.com
  • Segment.io
  • optimizely.com
  • Bugfender.com
  • Plaid

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Denial of Service (DoS/DDoS) vulnerabilities
  • Issues related to SPF/DKIM/DMARC
  • Attacks against our end users, or engage in the trade of stolen user credentials
  • Attacks against customer support; through contact forms or methods
  • Vulnerabilities only affecting unsupported browsers or platforms
  • Attacks requiring physical access to a user's device
  • User data stored unencrypted on the file system on rooted devices

Confidentiality

  • You must treat all information about our systems, staff or customers, that is not publicly available, as strictly confidential and not share or use it for any purpose other than emailing it as a submission as described below.

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@upside.com. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle and a link for recognition.

If you’d like to encrypt the information, please use our [PGP key].

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGR3uD8BEACckYRb1CYWIoyeJ4pnlLrEBAXtNr2dD0LsaWO964rmiKfEcyjL3UisPAamDsAA5D1zMZEf0Bj/jE3N1mZVNPteppms5KRtO89+K8kp9yz2r4plUB/ZtSP9LyePXVBHh3Spqfybo7gH1T2dAae9fp9qWOPFlf/gwcITiCahWPNd29T+XGdPwKJdlKjOPj7K7eYvlskE7sr5E2d63jsgbSABoS/VN+T7EfBNC1jgLbqEiozXWpf3VKeukv6mUogIxEIRNhZXQsjNDy0vrRfXkcB0vqGZrnLaYKMkiZJw0G0qdGkzM0ySw1sFtXSrImdz0MfGOdfz+Mn0COAZRlO1XbWTrtgHI/JEsxPF6NctDEPxIkZu4hnSAkPWryj5OtsHW3HZXFghKErz3+kZDfMhkgalPOp5DOFuxd0/Xf+KefWzE4MUV43LgjwNl6vqtEl8wrf86npcPzNnFZ3eKma42nNG2qjGacS3L+BlojSw3h6fLDN/v7Hf7LMXCinbhhPyhLZgKvo7zr3uLbLZuKZUpUVD7dgNtqu+WTl0NNwXU6m+2YOFUn7NBM//nOI8BdOullCcvy4eXO7rHtPJEgo5aeA/ScHy/pP0JDkQJyfFF7yLrtLl90GOJDeJ2jF1eD+ar3bFIX0wRYJmTUGMK96Kois4snuYaMAhxRZA3YhbNPEd4QARAQABtCVVcHNpZGUgU2VjdXJpdHkgPHNlY3VyaXR5QHVwc2lkZS5jb20+iQJXBBMBCABBFiEEP3uDqDlV5dt37bad/hPdoD6QYOcFAmR3uD8CGwMFCQHhM4AFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQ/hPdoD6QYOej/Q/9HZuVpQ3vuO0nbunnYwTGH3nlN73IurFSmgUVIyyEfb/3RBurqQ+urdwml60KM92s+Euh4IDMz30kF8Pr7znww7s4BGMjsvg26Tt6HFDcXCp2AXaJcXDmWHDXW/cXDUjs3KbNvYsfrbEDcGRGUe1EZRfCtQbm3nw3O09RDUkgqk7WeCuW9atrfv8a6V+pBPSzg1X1qcJTF1RiBnjG0qg32UZjcYhlqvTQZsPw8jr0wMp6jz4BnbjmEvFfEZSvPzvHepxBhHyg2z8uJ+fvZWwExqW7ywGmAI4xiFqoVfyGzGpliDF/rE3HobCo2Vlpq/XsdzEirfqEJM4/dN1Uk3SDYM2DA/Oy7ElkHZX+C+x8WeZtRUWn7zM/R/ZEtH46gzsCjCRnHCdD0+tOsMIYKS4ZBktlSLaQD9u/d+8XRQJFmI62PYd4JcrKGVuT+KWO2hq7Gc99RUFsjPVBlfoLLI3WLmTTtmwKfvDLyvVfi6nTRJRGVNgH3F2mDx8fqDv/ouxFYuRM/t8LAcJq4puPoLrrrkCyICrm8S6xL3s9nI0A71M5PJ0nqaakwpaqULNwmnLJrlj6K7hX0ptTk1XIpwo16TklM2XrO9zUonqQ1jxaL0R3VJFRzcap4PlamH7CB+8hYYyjqfAHe/B8M0InnhAK6EeZ+sFYxZOxFItZo6ZBXzS5Ag0EZHe4PwEQANAS6NrTneHqNejo/EnxzhyI+1PqN7la/8GhgC3ObLKQvdFS0CYH5I8hYo2CHbZVFO5kNr9PX7/BXqHYuQ8SiqJl3Y+qsVKLBj7JlHViiZSrrhhL9F4aSFZy1ktchUqVnkj4D6W/AUMd0/1/Re/h08qsGOMX779Mh/9Kvqc6kiGBEM3xPjf6Oezork9Ro+m9mo/deXJUmEzBKhuEJGKT3aVfjn1rhMJmbXDsZHyO+8N1eLbN/ktBlxwT/kq+r8Vh/00ZC/E7fTDtFl3qnqTRnKtZ7hKnE4ZbN3MetsG2c2IVXyoj75Gki7C8D3ZXNpbyuYsk8NL9T8GhaEyPkVMg7RU/Xusm9vR+NyBRwp4qMCU9I72EC1Y++PBL9hIO+RH33ucuMxNfmlyIXSSaPyTTqgRjplnz+IkX9mRa7ztM/X8kQ2t86U+IwpW+vD1WCmaqIHff4pKbuTe6w4kvKpCxFS0xiky4VRNm3Y1O/I846NiySnXynPnd1o/0/9qG6hO1yzaGEp/Sc6HgAfitoT9/mACYdiW7AqZ6s0tll340k9Q8ssUx5p0Hm89EqwUL2wG4gBmugSDpdONpAFFE3d/foEpVBYnYJTb5dJ85VTpcqcK3kmA2SqmLLetsScVTG3c+2Olm8j2yE5LoIkOen8HlpcarRpwC+XW+PjQw9HZ75K3tABEBAAGJAjwEGAEIACYWIQQ/e4OoOVXl23fttp3+E92gPpBg5wUCZHe4PwIbDAUJAeEzgAAKCRD+E92gPpBg57eJD/42nFk1uIU7sYMzzTBuALj6AnXzXL0At3GkzDvayWDsasdePjRWl7ornqO4OspBVZUn4KVRxKu8NFvscifbKC2XsqZJP3U6fmBi4Nz8FGUpr+vtun0Mcw7ICdptlk0e+wvxOQW5s7yTxGH9UYAurK++zh8DGFuJvgjrBov6EQKN7s3oolGlqph4iE+nrT5APlxqRAnFYky0MGVlV7nLkma36bk/+DVRpdkI+/N9HMqtwli3yVgRH7ab1zYUUDPIIrM4XXgUBMb+mxdTQtwuhZfqEg7HctPBxcF4wgS1lYo1I9AzN/zQlVJF50soCNLYXuFT+7XHl1ZKSddQkO8sua8DsALx5vLtC1t46Ee7pISGjMqAL473IfTJ/rkIWwx4EDBBOOp1NbYyRe36y6umIcYTZxBwT4V3SM3tpc2lEf5aNehHwV3a7XPq+3ScjIJC8y8XIxkEB0HBHfiaZHBvZPbEOyswsSSHI15DPO8QH++p0Lv6YRuJJn8iAltgV5DfyZDezh9JZItOybPAEpSYay3pbCMRME26WhSqrTrnrdpvbFSnyYJE9vQ+G6171LRG34DAZn1HsgLpEm3UL73btQgrev3Cef8QYb2pVIAFEJJWeN8wRFzcMED3FS3uBBCkJwXpdNI40F4rzsXGcPQYECgV
Q4g+NKu1Q5kv7nIDBKFjPw==
=37Nb

-----END PGP PUBLIC KEY BLOCK-----