Responsible Disclosure Policy
Enclave Markets’ Responsible Disclosure Policy applies to individuals who are passionate about security and would like to report a security vulnerability that could affect Enclave Markets’ core platform and its information security infrastructure.
At Enclave Markets we are committed to ensuring the safety and security of our customers and products. We strive towards the development of a secure product offering through continuous education of our staff on security best practices. However, we recognize the importance of vulnerability disclosures in pursuing product and infrastructure security and we pride ourselves of fostering an environment of trust, and an open partnership with the security community. For that reason, we have developed this policy to provide reporting instructions and uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.
Enclave Markets will not initiate legal actions against individuals who submit vulnerability reports through secu[email protected], as long as they adhere to these parameters.
- Engage in testing of systems/research without harming Enclave Markets or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Adhere to the laws of their location and the location of Enclave Markets.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Enclave Markets reserves the right to only credit researchers who have reported an issue that is proven and of sufficient severity.
How to Submit a Vulnerability
To submit a vulnerability report to Enclave Markets’ Security Team, please email the details to our security team at: [email protected]. We appreciate confidential and responsible disclosures and will acknowledge security researchers after validating and fixing the vulnerability.
Analysis, Prioritization, and Acceptance Criteria
What we would like to see from you:
- Well-written reports in English will have a higher probability of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, clear steps to reproduce, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What we don’t want to see from you:
- Denial-of-Service (DoS) or Distributed DoS (DDoS) attacks against Enclave Markets’ systems and products.
- Testing against systems owned by third-party companies that integrate with Enclave Markets’ products.
- Malicious activities against Enclave Markets or its customers by leveraging Enclave Markets’ systems.
- Testing that would degrade the quality of services offered by Enclave Markets.
- The handling of malicious software (including but not limited to uploading, sharing or sending) with respect to Enclave Markets.
What you can expect from Enclave Markets:
- A timely response to your email (within 7 business days).
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our vulnerability management process.
- Credit after the vulnerability has been validated and fixed. While Enclave Markets does not currently have a bug bounty program in place, we are happy to credit researchers.