Vulnerability Disclosure

Workiro prioritises security and privacy, employing various methods to enhance our security measures. Despite our efforts, the evolving nature of cyber threats means we can't always pre-empt all vulnerabilities.

‍

We recognise the limitations of our resources and competing priorities, so we encourage the responsible disclosure of external security research on our internet-facing services.

‍

‍Legal Terms

‍
By engaging with our policy, you agree to adhere to the terms on this page. Any modifications to these terms must be mutually agreed upon in writing. This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause GetBusy or partner organisations to be in breach of any legal obligations including but not limited to:

‍

• The Computer Misuse Act (1990)
• The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
• The Copyright, Designs and Patents Act (1988)

‍

This policy does not provide any form of indemnity by Workiro or any third party for any actions if you are in breach of the law and/or this policy.

‍

‍
Workiro affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on a Workiro service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.We respect the anonymity of researchers reporting vulnerabilities through this policy, disclosing identities only with consent or as legally required.

‍

‍Conducting Research and Testing

‍
Automated scanning tools are prohibited. Violations may lead to exclusion from future participation or legal action.

‍

Research should only be on public resources or with your legitimate user account. Accessing or compromising other users' accounts or confidential information is forbidden.Ensure your research doesn't disrupt or intercept data, violate any laws, or compromise non-owned data.If you inadvertently disrupt a service or access unauthorised data, immediately report to compliance@getbusy.com without recording, using, or disclosing the data.

‍

‍Disclosure Reporting Procedures

‍
Report vulnerabilities to compliance@getbusy.com with details like UI screenshots, replication steps, and affected endpoints. Written permission from GetBusy is required before public disclosure.

‍

‍

Encouraged submissions include OWASP Top 10 issues, business logic vulnerabilities, and authorisation problems. Excluded are DoS/DDoS attacks, spam, phishing, and findings from automated tools without detailed analysis.

‍

‍Payment Tier

‍
Currently, we don't offer financial rewards for bug bounty submissions but can provide recognition letters.

‍

‍Disclaimers

‍
Submissions don't guarantee rewards or recognition. Terms and conditions of this policy are subject to change. Non-compliance may lead to temporary or permanent bans.Response to reported vulnerabilities depends on their severity, likelihood, impact, and our team's availability. There's no guarantee of response or remuneration.