Vulnerability Disclosure Program

Reply.io values security research

Safety & security are incredibly important to Reply.io and to the ecosystems we serve. As we see greater convergence of physical and digital systems, we all carry a shared responsibility to develop and maintain secure, defensible, and resilient systems. Reply.io is committed to doing our part through robust security programs and initiatives. As an extension to our own efforts, Reply wishes to team with willing allies acting in good faith. As such, Reply welcomes the invaluable contributions offered by security researchers. To ensure a smooth and streamlined process, we are introducing our Coordinated Vulnerability Disclosure Program.

Initial Scope

For the initial scope, this program will focus on Reply product to ensure our full attention to areas where vulnerabilities could potentially affect customer critical environments. We intend to broaden the scope to include additional products as the program matures.

Legal Posture

Reply will not pursue legal action for those acting in good faith and in adherence to the coordination instructions and guidelines described in this policy, including compliance with all applicable laws.

Communicating with Reply

To ensure proper handling of the disclosure in both directions, please adhere to the following instructions:

  • Submit your report in English to legal@reply.io
  • Use our PGP public key available on this web page or other encryption methods to encrypt the message.
  • Do not include sensitive information (other than information related to the vulnerability details) in any screenshots or other documents or content you provide to us.

Once we have received your message, an appropriate ReplyApp, Inc. employee will acknowledge receipt within seven (7) calendar days.

What we expect of you

We are willing to work with security researchers who comply with the following guidelines:

  • Comply with all applicable laws and regulations
  • Do not access or modify any data in any account or system for which you do not have legal control
  • Do not take advantage of the vulnerability or any issue you have discovered; do not take any disproportionate or illegal actions
  • We ask you to work with Reply on selecting public release dates for information on vulnerabilities to minimize the possibility of public safety, privacy and security risks.
    • Inform us of your disclosure plans, if any, prior to public disclosure
    • Involve DHS-ICS-CERT, CERT/CC, relevant Regulators, or other appropriate government entities when prudent
    • Provide us with details of any communication on the vulnerability (and CVE) to vulnerability coordinators
  • Preference: Well-written reports in English will have a higher priority of prompt resolution
  • Preference: Reports that include proof-of-concept code equip us to better triage

What you can expect from Reply

Once we have received a submission, Reply.io will:

  • Acknowledge receipt within seven (7) calendar days.
  • Perform an initial assessment on the potential findings to determine accuracy, need for escalation and product team to work with. In this phase, you may:
    • Receive requests for additional information, or
    • Receive notification that the vulnerability is not accepted into the program because it does not meet the criteria of the program or provide sufficient detail. (You may respond to any notifications of non-acceptance by contacting legal@reply.io)
  • Develop a resolution and take appropriate action depending on the criticality scoring of the vulnerability.
  • Provide the researcher with public recognition if requested and if the report results in a publicly released fix or communication.

Where necessary or if we are unable to resolve communication issues or other problems, Reply.io may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.

Note: Any information shared with Reply.io may be used by Reply.io in any manner determined appropriate by Reply.io. Submitting any information will not create any rights for the submitter, nor will it create any obligations for Reply.io.