Security Response
Responsible Disclosure
LevelUp takes the security of its users and the safety of their information very seriously. If you’ve discovered a vulnerability, help us fix it by disclosing your findings to us first.
Share the details of any suspected vulnerability with the LevelUp Security Team by submitting it here. Please do not publicly disclose these details without our consent. We’ll get back to you ASAP, usually within 24 hours; please follow up or ping us on Twitter (https://twitter.com/thelevelup) if you don’t hear back.
Rules
-
Don’t publicly disclose a bug before it’s been fixed.
-
Don’t attempt to gain access to another user’s data.
-
Only test for vulnerabilities on systems you know to be owned and hosted by LevelUp. Research into vulnerabilities in third-party apps using our SDKs and in systems hosted by third parties (like https://levelup.zendesk.com or http://developer.thelevelup.com) is subject to the owner’s terms, not LevelUp’s.
-
Never use automated scanning tools or Denial of Service attacks; we may suspend your LevelUp account and ban your IP address if you do so.
Our Commitment
If you’re a security researcher and you identify a verified security vulnerability in compliance with the rules of the Responsible Disclosure Policy, LevelUp will:
-
Acknowledge the receipt of your report in a timely manner
-
Notify you when the vulnerability is fixed
-
Publicly acknowledge your contribution
-
Not get lawyers involved
Reporting
In reporting any vulnerabilities, let us know:
-
Vulnerability details and steps to reproduce
-
Your email address and/or alternative contact info
-
Your name, website, and/or Twitter handle as they should be displayed on this page, if you’d like public credit
-
Your shipping address and T-shirt size
