We take the security of our customers data very seriously. If you believe you've discovered a potential security vulnerability within one of our services or products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.
We appreciate the assistance and patience of security researchers and are committed to reviewing all reports that are disclosed to us. We will do our best to address each issue in a timely fashion, and request that you provide us with a reasonable timeframe to address the issue before public disclosure.
Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.
We encourage you to conduct responsible security research on our products and services. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.
To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. In the event of any non-compliance, we reserve all of our legal rights.
If in doubt, please contact the "CovidPass" Security Team by sending an email to firstname.lastname@example.org.
You can responsibly disclose potential security vulnerabilities to the "CovidPass" Security Team by emailing email@example.com. Ensure that you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps.
Once you have reported a potential security vulnerability, we will contact you within 72 hours with an initial response. Going forward, we will keep you informed on our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.
We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, remediated or mitigated the potential security vulnerability.
Please note that we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for monetary or other compensation will be deemed in violation of this Responsible Disclosure Program.