Overview
We take the security of our systems seriously, and we value the security research community. If you believe you've found a security vulnerability in our services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Scope
This policy applies to any vulnerabilities you find within our systems hosted on the following domains:
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program.
Rewards
Bounties are awarded based on severity, impact, and quality of the report. The final reward amount is determined at our discretion and takes into consideration:
- Technical severity of the vulnerability
- Potential business impact
- Quality and completeness of the report
- Reproducibility of the issue
Higher rewards are given for critical vulnerabilities that could significantly impact our systems or users.
Rules of Engagement
While conducting your research, we require that you:
- Do not attempt denial of service attacks
- Do not spam our services
- Do not access or modify other users' data
- Do not conduct automated scanning without prior approval
- Do not conduct social engineering attacks
How to Report
Please send your findings to security@skincade.com. Include the following:
- Description of the vulnerability
- Steps to reproduce
- Proof of concept if available
- Impact of the issue
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Response Timeline
We strive to meet the following response targets:
- Initial Response: 24-48 hours
- Triage: 3-5 business days
- Resolution: Varies based on complexity
- Bounty Payment: Within 30 days of resolution