Responsible Vulnerability Disclosure

This guide outlines OutThink’s Responsible Vulnerability Disclosure program, for customers and other parties who have potentially found a vulnerability on OutThink’s platform and want to responsibly report it.

If you are a customer with access to support, you can report the vulnerability directly through your normal support channel or contact your Customer Success Representative directly.

Otherwise, please send an email to security@outthink.io.

Submission Requirements:

• Detail all steps that you followed that make the vulnerability exploitable including any URL’s or code you used. The more information you can provide, the faster we can reproduce and fix the problem.
• Please don’t send PDF, DOC, Script or EXE files – we cannot process them. Plain text or images are best.
• Any vulnerability can be considered, but particularly those focused around cross-site scripting (XSS), Injection, Cross-site Request Forgery (CSRF), Remote code execution (RCE), data breaches or cookie issues.

Reward

OutThink has grand plans to introduce a bug bounty program, but we aren’t quite there yet.  For the time being, we are happy to name you in our Hall of Fame below.  If in the near future we introduce a bug bounty program, we’ll be in touch.

Public disclosure

Please do not publicly disclose any vulnerability or potential vulnerability before obtaining OutThink’s permission.  We will do our best to respond to all legitimate reports and keep you fully informed on progress to resolution.

The Hall of Fame