Vulnerability Disclosure Policy

At Propper, we take the security of our systems and our users' data seriously. We appreciate the security community's help in identifying potential vulnerabilities.

Safe Harbor

We support safe harbor for security researchers. We will not pursue legal action against researchers who:

Conduct security research within the scope of this policy.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Promptly report any vulnerabilities they discover to us.
Do not disclose the vulnerability to the public until we have had a reasonable amount of time to fix it.

Scope

In Scope

app.propper.ai
Propper API endpoints
Source code hosted in this repository

Out of Scope

DDoS or other volumetric attacks.
Social engineering (phishing, vishing) of our employees or contractors.
Physical attacks against our offices or data centers.
Third-party applications or services we integrate with (e.g., Stripe, SendGrid), unless the vulnerability is in our integration.

Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it to us via email:

security@propper.ai

Please include:

Description of the location and potential impact of the vulnerability.
A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed traces are helpful).

Response Timeline

Acknowledgment: We aim to acknowledge receipt of your report within 48 hours.
Validation: We aim to validate the vulnerability within 5 business days.
Resolution: We will keep you informed of our progress towards resolving the issue.

Rules of Engagement

Do not access or modify data that does not belong to you. Use your own test accounts.
Do not execute any attacks that could degrade the performance of our services (e.g., automated scanning tools).
Do not exfiltrate data.

Security Policy