Vulnerability Disclosure
Technology Warehouse greatly appreciates well-intentioned and ethical security researchers for their help in making our products more robust and bringing secure services to our customers. As such, we welcome security community members to investigate the security of our systems for potential vulnerabilities and are committed to thoroughly review and resolve valid submissions. If you think that you have found a security vulnerability in any of applications or services, operated by Technology Warehouse, please let us know. Before reporting though, we encourage you to carefully read the contents of this page and follow the rules and recommendations listed. Note that we are only able to review technical vulnerability reports. Non-security bugs, queries about problems with your account and abuse reports should be instead directed to our customer support.
Services in scope
Generally, any Technology Warehouse-owned application or service, that handles reasonably sensitive user data, is in scope. This includes almost every web service, hosted under the following subdomains:
*.tw.na
*.twna.dev
Not in scope
Some of our customers may have their services or infrastructure hosted under Technology Warehouse domains. We cannot authorize you to test such systems, as we do not own them, nor would we be able to provide you protection under Safe Harbor. If in doubt regarding any particular asset – ask us first!
In order to make our collaboration effective, safe and convenient for both parties, we encourage you to:
- Test only with your own Technology Warehouse accounts when investigating bugs, and do not interact with other accounts (which includes modifying, copying, viewing, transmitting, or retrieving data from the other account) without the account owner’s explicit written consent, which you must present to Technology Warehouse upon request.
- Avoid privacy violations, degradation of user experience, disruption of production systems, and destruction or manipulation of data.
- Do not utilize automated scanners, that generate significant volumes of traffic.
- Only exploit security vulnerabilities you discovered to the extent necessary to confirm the vulnerability.
Provide detailed reports to Technology Warehouse with reproducible steps.
Currently we are not able to provide any monetary rewards. We would however like to express our deepest gratitude to the researchers who take their time and effort to investigate and report security vulnerabilities in accordance with this Program.
Public Disclosure
- Be patient and give us reasonable time to review and fix the issue you have reported. We are committed to fix valid submissions within 90 days or less.
- Do not disclose any vulnerability information in a web service publicly or privately before the fix is confirmed by Technology Warehouse or the report is rejected.
- Do not disclose any vulnerability information in a mobile or desktop application publicly or privately before it is fixed and within 30 days after the fix is confirmed by Technology Warehouse or the report is rejected.
- Do not disclose any sensitive information that may have been accidentally obtained during vulnerability research.
Safe Harbor
Any activities conducted in good faith in a manner consistent with this Program will be considered authorized conduct, and we will not initiate legal action against you for such activities. If legal action is initiated by a third party against you in connection with activities conducted under this Program, we will take steps to make it known that your actions were conducted in compliance with this Program.
General
Technology Warehouse reserves the right to discontinue or change the terms of this Program at any time without notice. Technology Warehouse further reserves the right of final decision on the interpretation of the terms of this Program.