Responsible Disclosure Policy
Compass is committed to protecting the data that drives our marketplace. If you’re an independent security expert or researcher and believe you’ve discovered a security-related issue on our platform, we appreciate your help in disclosing the issue to us responsibly. Keep in mind, this is not a bug bounty program and we do not offer rewards or compensation for identifying issues. However, if you are the first researcher to report a confirmed vulnerability, we are happy to include your name in our Hall of Fame, unless you wish to remain anonymous.
Our Pledge to you
We are committed to working with you to verify and address any potential vulnerabilities that are reported to us. Additionally, we will not initiate legal action against you as long as you adhere, in good-faith, to responsible disclosure practices, including the processes and principles described herein.
Reporting a vulnerability
To report a security issue or vulnerability, send us an email to email@example.com. If you want to encrypt your message using PGP, our public key is available here. Please include a detailed description of the issue, how it was discovered, and steps we can take to reproduce what you have observed. A member of the Compass Product Security Team will review your email and contact you to collaborate on resolving the issue in a timely manner. Please refrain from sharing your report, or any communications relating to your report, with others while we work on implementing a patch. By submitting your report, you agree to treat the report as confidential for at least 90 days after submission.
Some principles to keep in mind
As you conduct your research we ask that you make a good faith effort to protect the privacy of our users and their data. To that end, please: Stop and notify us immediately if you encounter any sensitive information or Personally Identifiable Information (PII).
- Only view information to the extent required to identify the vulnerability and report the vulnerability directly to us. Refrain from saving and/or sharing information.
- Provide sufficient information, in English, so that we can replicate the vulnerability. Reports that include only crash dumps or other automated tool output will not help us mitigate the vulnerability and instead, make it more difficult to address the issue.
- Only interact with accounts you own or have permission to access. Feel free to create your own accounts for testing purposes.
- Additionally, please do not:
- Take any actions that will affect the integrity or availability of our systems. If you notice performance interruption or degradation, immediately suspend all use of automated tools.
- Use any of the following methods, as they are prohibited:
- Denial of service attacks
- Phishing or spear phishing
- Social engineering
- Physical attacks against our data centers or property (including servers or networks)
We highly value your insights and appreciate your efforts in making the Compass platform more secure. Thank you and we look forward to working with you!
Responsible Disclosure Contributor Hall of Fame
Compass appreciates and would like to thank the following individuals who have contributed to improving the security of our products.
- Sunil Singh
- Sagar Banwa
- Shaeq Ahmed
- Andrew Kerr