Responsible Disclosure

Updated: May 17th, 2019

Overview

All technology contains bugs. If you've found a security vulnerability, we'd like to address the issue. We welcome responsible security researchers from the community who want to help us improve our products and services.

If you discover a security vulnerability, please privately notify us and give us at least 30 days to address it before making any kind of public disclose. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue, and address the issue in a manner consistent with its severity.

Strala is currently not rewarding cash prizes for reporting vulnerabilities; however, your submission will be met with gratitude, glory, and, for critical vulnerabilities, potentially swag. If you would like to report a vulnerability, please abide by these rules:

• Don't attempt to gain access to another user’s account or data.
• Don't attempt to degrade the services.
• Don't impact other users with your testing or access their data.
• Don't bombard our infrastructure using large lists for fuzzers, scanners, or other automated tools to find vulnerabilities.

In-Scope Services

We want to know about any significant issues on any of our domains:

• Strala.com
• Strala.io
• Stra.la
• Strala.app

Please exercise reasonable discernment in what you choose to submit. We are not able to provide test credentials to researchers at this time.

Out-of-Scope Issues

The following types of reports/attacks are out of scope. Do not attempt them:

• DOS attacks
• Do NOT access customer data
• Brute force attacks
• Physical vulnerabilities
• Social engineering attacks
• Anything related to our emails
• CSRF issues
• Self-XSS and issues exploitable only through self-XSS
• Clickjacking and issues only exploitable through clickjacking

Safe Harbor ‌

We are committed to protecting the interests of Security Researchers. We will not pursue legal action against responsible researchers whose behavior matches the above guidelines, does not access customer data, does not degrade our environments, and does not publicly leak data or vulnerabilities.

Contact

If you choose to email us, encrypting your email is not required.
Please send reports to security@strala.com

Hall of Fame

• Mitesh Patil
• Tirtha Mandal
• Sushma Ahuja
• N.S.Deepak
• Virendra Tiwari
• Fahimul Kabir Lemon
• Nikhil Mahajan
• Abhishek Karle