Rewind Vulnerability Disclosure Policy

Keeping user information safe and secure is a top priority and a core company value for us at Rewind. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

We thank everyone for their contributions, and we publicly acknowledge and thank members of our community on this page. We will contact you once the vulnerability you’ve reported has been resolved to ask you whether you would like your name to be displayed on this page.

Applications/Assets in Scope

The Rewind and Replay applications are in scope along with our public APIs (excluding www.rewind.io).

 

Any assets or services hosted by 3rd parties (and hence CNAME’ed) are out of scope. For example, status.rewind.io, help.rewind.io, support.rewind.io

Responsible Disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

 

  • Share the security issue with us in detail;
  • Please be respectful of our existing applications.
  • Refrain from any denial of service testing, spamming or social engineering of Rewind employees or contractors;
  • Give us a reasonable time to respond to the issue before making any information about it public;
  • Do not access or modify our data or our users’ data. Only interact with your own accounts or test accounts for security research purposes;
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Rewind;
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and
  • Otherwise comply with all applicable laws.

Out-of-scope Vulnerabilities and Exclusions

The following issues are outside the scope of our VDP program:

 

  • Our policies on presence/absence of SPF/DMARC records.
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
  • Login/logout CSRF.
  • Attacks requiring physical access to a user’s device.
  • Missing security headers which do not lead directly to a vulnerability.
  • Missing best practices (we require evidence of a security vulnerability).
  • Host header injections unless you can show how they can lead to stealing user data.
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Reports from automated tools or scans.
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Social engineering of Rewind employees or contractors.
  • Presence of autocomplete attribute on web forms.
  • Missing cookie flags on non-sensitive cookies.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
  • Any report that discusses how you can learn whether a given username, email address has a Rewind account.
  • Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where the attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
  • IP/Port Scanning via Rewind services unless you are able to hit private IPs or Rewind servers.
  • Hyperlink injection or any link injection in emails we send.

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the applicable laws. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Rewind’s VDP, Rewind will take steps to make it known that your actions were conducted in compliance with this policy.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Submitting a Report

E-mail your findings to security@rewind.io. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands. Please include:

  • Your name and contact information
  • Summary of the vulnerability
  • Description of the vulnerability
  • The type of vulnerability
  • Detailed steps to reproduce
  • List of additional supporting material/references (if applicable)

Acknowledgments

We thank everyone for their contributions, and we publicly acknowledge and thank members of our community for reporting a problem.