VULNERABILITY DISCLOSURE POLICY
INTRODUCTION
Pixel Union, a WeCommerce Holdings Limited Partnership ("WeCommerce") business, is committed to ensuring the security of the public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
We ask you to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it.
SAFE HARBOUR
Any activities conducted consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. However, we reserve the right to take appropriate action in response to conduct that falls outside the bounds of this policy or is otherwise unlawful or malicious.
Please understand that if your research involves the networks, systems, information, applications, products, or services of a third party, we cannot bind that third party, and they may pursue legal action against you. We cannot and do not authorize research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions. Should legal action be initiated by a third party against you for activities that we determine to be in line with this policy, we will take best steps to make it known that your actions were authorized under this policy.
This policy does not authorize you to intentionally access company data or data from another person's account without their express consent. Please understand that we cannot work with anyone who violates applicable laws or regulations, or accesses individuals' personal information.
ACCOUNTS: HOW TO REPORT
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Pixel Union, we may share your report with the Canadian Centre for Cyber Security. We will not share your name or contact information without express permission.
We accept vulnerability reports via [email protected]. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
What we would like to see from you
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
What you can expect from us
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
We ask that you not access any organizational data, including personal information. If you cannot demonstrate the impact of the issue without accessing this information, let us know, and we will finish the investigation for you.
INELIGIBLE VULNERABILITY TYPES
When reporting vulnerabilities, please assess the attack scenario, exploitability and security impact of the bug. Pixel Union does not consider the following to be eligible vulnerabilities under this policy. If submitted, these issues will be closed.
- Distributed Denial of Service
- Content spoofing
- Social Engineering, including phishing
- Email flooding
- Unconfirmed reports from automated vulnerability scanners
- Disclosure of server or software version numbers
- Generic examples of Host header attacks without evidence of the ability to target a remote victim
- Reports related to permitted password strength
- Lack of mobile binary protection, mobile SSL pinning
- Theoretical sub-domain takeovers with no supporting evidence
- Reports related to permitted password strength
- Lack of mobile binary protection, mobile SSL pinning
- Theoretical sub-domain takeovers with no supporting evidence
- Reports related to permitted password strength
- Lack of mobile binary protection, mobile SSL pinning
- Theoretical sub-domain takeovers with no supporting evidence
RULES FOR PARTICIPATION
- Notify us as soon as you discover a potential security vulnerability
- Do not destroy or modify data that is not yours
- Do not perform social engineering or physical attacks
- Avoid privacy violations and disruption of systems
- If you access sensitive data, stop testing and notify us
- Securely delete data after resolution or within 1 month
- Do not demand financial compensation
- Submitting a report does not make you an employee
- Waive all moral rights to submitted content
- Policy may be modified at any time
SCOPE
This policy applies to the following systems and services:
- getuptime.co
- app.getuptime.co
- rewindmonitor.com
Any service not expressly listed above is excluded from scope. Vendor systems fall outside this policy and should be reported to them directly.
INTELLECTUAL PROPERTY
Submitting a vulnerability report does not grant any rights to WeCommerce intellectual property. All rights to submitted reports are assigned to WeCommerce. You represent that you have the authority to assign these rights and that submission does not violate third-party agreements.
QUESTIONS
Questions regarding this policy may be sent to [email protected]. Suggestions for improvement are also welcome.
DOCUMENT CHANGE HISTORY
| Version | Date | Description |
|---|---|---|
| 1.0 | July 8, 2025 | First issuance. |