Legal

legal page icon

Responsible Disclosure Policy

Previous Policy last updated on May 10, 2021 (view the current version here.)

We take the security of our systems seriously, and we also value the developer community. Our responsible disclosure policy promotes the discovery and reporting of security vulnerabilities to help us ensure the security and privacy of our users. If you’re a security researcher, please follow the guidelines and steps below to report vulnerabilities.

Guidelines

We require all security researchers to:

  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Plivo until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we will commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation within 72 hours of submission that your report has been received);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue;
  • Award you Plivo credits that you can use however you like.

Scope

  • Plivo.com and its subdomains
  • Plivo’s products and services

Out of Scope

Any services hosted by third-party providers are excluded from scope.

In the interest of the safety of our users, staff, the internet at large and you as a security researcher, the following test types are excluded from the scope:

  • Findings derived from physical testing through methods such as office access (e.g. open doors, tailgating, etc.)
  • Findings derived from social engineering (e.g. phishing, vishing, etc.)
  • Findings derived from applications or systems not listed in the Scope section
  • UI and UX bugs and spelling mistakes
  • Network-level denial-of-service (DoS/DDoS) vulnerabilities
  • Clickjacking
  • Automated vulnerability scanner reports
  • Disclosure of server or software version numbers
  • Subdomain takeovers without supporting evidence
  • Session invalidation when the credential is already known
  • Missing rate limits
  • Best practice reports without a valid exploit

Things we do not want to receive

Under no circumstances should the following information of individuals be submitted, including but not limited to Plivo customers and employees:

  • Personally identifiable information (PII)
  • Credit card or payment information

How to report a security vulnerability

If you believe that you have found a security vulnerability in one of our products or platforms, please send it to security@plivo.com and include the following details with your report:

  • Description and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability. If possible, please include POC scripts, screenshots, and compressed screen captures, as they will help us identify the issues more quickly.