Responsible Disclosure Policy

TeamSnap Responsible Security Disclosure Statement

At TeamSnap, we take security seriously. You should see our office bouncers. They will throw down. Really though…. In addition to our own internal security testing and fixes, we occasionally get — and encourage — help from members of our community.

If you think you have found a security issue in TeamSnap (web, mobile apps, or API), we want to know! We’ll even reward you with a listing in our Hall of Thanks, some TeamSnap swag and a heart-felt “Thank you.”


What You Should Do

  • Email us at [email protected].

  • Use our PGP key (Fingerprint: 81E2 A9C9 6F50 D30B FE94  6774 FA51 9694 03DF 1827) if the details are especially sensitive.


What We Ask

  • Provide us with enough detail (screenshots, walkthrough steps, etc.) to reproduce the issue.

  • Give us time to fix the issue before riding through the streets at high noon announcing it to the world … or tweeting it to your 10,000 followers. Time needed varies based on the issue. For example, iOS release cycles are much longer than fixes on the web. But rest assured, once we know an issue exists, we are on the case.

  • Don’t access/manipulate/delete data you don’t normally have access to. We’re very committed to our users’ data and experience and would hate to have an unintentional glitch in the system result in someone messing with our users’ accounts. Live by the Golden Rule: Don’t be a jerk. Seriously though, attempts like these will be reported.

  • Don’t ask for payment; we do not offer cash payouts for disclosure. And you’re not a turtle-necked villain from an early 90s cyberpunk movie … right?


What We Promise

  • We will reply to you within one business day to let you know we received and are evaluating your report.

  • We will evaluate your report to see if it constitutes a true security issue.

  • We will give you an estimate on how long it will take us to fix the issue.

  • We will follow up with you once the fix is deployed.

  • We will give you our thanks for practicing responsible security disclosure and making TeamSnap better.

  • We will write songs in your honor and sing them from the mountaintops.

 

Whether an issue qualifies as a legitimate security problem is a decision TeamSnap engineers will make.  Only the first security researcher to report an issue will qualify for credit.  We, of course, reserve the right to modify this program at any time.

If you would like (it’s not required), we’ll be happy to recognize you for your contribution by adding you to our Hall of Thanks (either by name or anonymously).  For a significant vulnerability, we’ll also send you a  little something from our Funky Swag Shack as a token of our thanks. Just provide your mailing address and T-shirt size, and our highly skilled carrier pigeons will have your gift on its way!

If you’ve played by the spirit and letter of this page, we pledge not to take legal action against you, to cancel your TeamSnap accounts, to send our bouncers Bubba and Larry after you, or do anything else to limit your access to TeamSnap. However, if you’ve not complied, we reserve the right to pursue legal action or other appropriate remedies. Really, though, if you do right by us, we’ll do right by you. We don’t want to get the legal system involved, and neither do you. OK? OK!
 

TeamSnap Hall of Thanks