Vulnerability Disclosure Program (VDP)
Introduction
At Heymarket, we are committed to ensuring the security and privacy of our systems, products, and services. To help achieve this, we welcome contributions from the security community and other individuals who responsibly identify and report potential vulnerabilities. Our Vulnerability Disclosure Program (VDP) provides a safe, structured way for researchers to disclose security issues. If you have identified a vulnerability, please follow the guidelines below to report it.
Commitment to Researchers
As part of this program, Heymarket is committed to the following:
- Confidentiality and professionalism in all dealings with researchers.
- Prompt communication with researchers.
- Careful review and fair treatment of all accepted submissions.
- Remediation as required to protect the safety and security of Heymarket and its customers
Expectations of Researchers
As part of this program, Heymarket expects the following of researchers:
- Confidentiality and professionalism in all dealings with Heymarket.
- Adherence to the terms and conditions associated with this program.
- Responsible and private disclosure of vulnerabilities to Heymarket.
- Compliance with applicable laws and regulations.
Scope
The following systems/services are within scope:
- Heymarket Corporate Website (https://www.heymarket.com/)
- Heymarket Application (https://app.heymarket.com/, https://api.heymarket.com/)
- Heymarket Mobile Apps (iOS, Android)
- Heymarket Google Chrome Widget
Prohibited Activities
The following activities are strictly prohibited:
- Any activities that adversely affect the performance or delivery of Heymarket services and operations, including denial of service attacks.
- Any activities that adversely affect Heymarket’s customers or suppliers.
- Any activities that involve the disclosure or display to any third-parties or to the public of the finding, including any proof of concept, unless expressly authorized in writing by Heymarket.
- Any activities that involve social engineering techniques, including impersonation or use of existing credentials, in any capacity.
- Any activities that involve coercion, harassment, threats, or intimidation.
- Any activities that involve physically accessing assets belonging to Heymarket or Heymarket’s customers, or associated with the delivery of Heymarket services or operations.
- Any activities that violate the Heymarket’s Privacy Terms, or the general privacy of Heymarket or Heymarket’s customers. In this regard, Heymarket expects that researchers will avoid unauthorized access to another person’s data. If you encounter personally-identifiable information, customer data or other sensitive data, please contact us immediately, do not proceed with access, and do not retain any copies of such information.
- Any activities that violate applicable laws and regulations.
Reward Policy
Heymarket appreciates the contributions of researchers towards improving the security of our platform. At Heymarket’s discretion, and subject to applicable laws (including those that may prohibit a reward entirely), a reward may be provided for significant findings, though Heymarket does not guarantee a reward for all submissions. If you are a minor, are included in any sanctions list, or live in a country that is on a sanctions list, we cannot provide a reward. Accordingly, a reward may be denied for failure to provide information to Heymarket in the course of its compliance process, which includes validating the identity and location of any recipient of a potential reward.
Submission Process
Please submit findings via email to security@heymarket.com ensuring all of the below submission requirements have been satisfied.
Submission Requirements
In order for a submission to be accepted, the following conditions must be met:
- The finding must not have been previously identified.
- Researchers must not have performed any of the above mentioned prohibited activities.
- The finding must not involve any of the above mentioned prohibited activities.
- The finding must be associated with a target listed within the above mentioned scope.
- The finding must not be disclosed without Heymarket’s express written permission.
- Submissions must clearly identify the impact to the integrity, availability, and/or confidentiality of the target system/service.
- Submissions must include a proof of concept of the finding (e.g., screen recording), however, this is subject to the limitations above related to personally-identifiable information.
- Submissions must include sufficient information for the Heymarket team to triage, reproduce, and assess the finding.
- [addition]
Additional Terms
Heymarket reserves the right to modify or terminate this program at any time without notice, and without any retroactive changes.
Version 1.1 – Dec 2024