Responsible Security Disclosure

The security of our systems and the data we hold is a critical priority for Shippit. We take every effort to keep our data systems secure. Despite our efforts, there may still be vulnerabilities.

This policy allows security researchers to share their findings with us in good faith. If you think you have found a potential vulnerability in one of our data systems, services or products, please tell us as quickly as possible.

 

About this policy

We are keen to engage with the security community. This policy gives a person a point of contact to directly submit their findings if they believe they have found a potential security vulnerability within systems operated by Shippit and its affiliate entities. 

We will not compensate you for finding potential or confirmed vulnerabilities.

 

What this policy covers

This policy covers:

  • Any product or service operated by Shippit to which you have lawful access

This policy does not cover:

  • Clickjacking
  • Social engineering or phishing
  • Denial of service (DoS or DDoS) attacks
  • Posting, transmitting, uploading, linking to, or sending any malware
  • Physical attacks
  • Attempts to modify or destroy data
  • Attempts to extract or exfiltrate sensitive data

This policy does not authorise individuals or groups to undertake hacking or penetration testing against Shippit’s systems.

This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

 

How to report a vulnerability

To report a vulnerability, email security@shippit.com. Please include enough detail so we can reproduce your steps.

This may include:

  • An explanation of the potential security vulnerability
  • List products or services that may be affected (where possible)
  • Steps to reproduce the vulnerability
  • Proof-of-concept code (where applicable)
  • Your name (or alias) and contact details.

If you report a vulnerability under this policy, you must keep it confidential. 

Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability. Otherwise, Shippit may take legal action.

There is no expectation of compensation for you finding potential or confirmed vulnerabilities. If you have not exploited the vulnerability or prematurely disclosed its possible existence, Shippit will not take any legal action against you.

 

What happens next

All vulnerabilities will be reported to security@shippit.com, who may contact you if more information is required.

Upon verification of the reported vulnerability Shippit will:

  • Respond to your report within 10 Business Days*
  • Keep you informed of our progress
  • Agree upon a date for public disclosure
  • With your consent credit you as the person who discovered the vulnerability unless you prefer us not to

If you do not provide your name (or alias) and contact details, Shippit will still investigate your report, but will not be able to recognise you or contact you if there are any queries about your report.

* Business Day means a day that is not a Saturday, Sunday or public holiday in Sydney, New South Wales. 

 

People who have disclosed vulnerabilities to us

Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:

  • Abhinav Bansal
  • K.Rajesh Sagar
  • Sonu Walkade
  • Sakshi Patil