Security Vulnerability Disclosure Program

At TopFunnel, we treat building secure software as our highest priority. We understand that both our success and yours depends on our protecting you from the latest security threats. We hope that if you discover a security vulnerability in our product, you’ll share it with us immediately.

In the best interest of our customers and Internet users worldwide, we ask that you follow the guidelines of responsible disclosure:

  • Do not publicly disclose part or all of the vulnerability until we have had a chance to investigate and address it.
  • Do allow us a reasonable timeframe to respond back to you and address the vulnerability before making any information public.
  • Please don’t access or modify system data and act in good faith not to degrade the performance of our services (including denial of service).
  • If you comply with these requests, we won’t take legal action against you.

Scope

TopFunnel’s Vulnerability Disclosure Program applies to security vulnerabilities discovered in our web site or other public facing software running on the topfunnel.co domain.

These are the vulnerabilities we are looking for:

  • Cross-site request forgery (CSRF/XSRF)
  • Cross-site scripting (XSS)
  • Authentication bypass
  • Remote code execution
  • SQL Injection
  • Privilege escalation

Bugs not listed will be accepted at our discretion.

Guidelines

We ask security researchers to please adhere to the following guidelines:

  • Do not permanently modify or delete TopFunnel-hosted data.
  • Do not intentionally access non-public TopFunnel data any more than is necessary to demonstrate the vulnerability.
  • Do not DDoS or otherwise disrupt, interrupt or degrade TopFunnel’s internal or external services.
  • Do not share confidential information obtained from TopFunnel, including but not limited to customer data, with any third party.
  • Social engineering is out of scope. Please do not send phishing emails to, or use other social engineering techniques against, anyone, including TopFunnel employees, vendors, or partners.

In addition, please allow TopFunnel at least 90 days to fix the vulnerability before publicly discussing or blogging about it. We believe that security researchers have a First Amendment right to report their research and that disclosure is highly beneficial. We also understand that it is a highly subjective question of when and how to hold back details so as to mitigate the misuse of vulnerability information. If you believe that earlier disclosure is necessary, please talk to us so that we can begin a conversation.

How to report a vulnerability

If you believe you have discovered a vulnerability in one of TopFunnel’s products, please let us know by sending a report to security@topfunnel.co.

To help us quickly identify and fix the vulnerability, please include the following information in your report:

  • The type of vulnerability
  • The TopFunnel product affected
  • Exact steps to reproduce the issue
  • Your name and contact information in order for us to acknowledge your submission
  • Any additional information that could be relevant

Our thanks to you

We greatly appreciate the efforts of those security researchers who identify vulnerabilities and work with us to ensure that we can develop a fix and issue it to all our customers. We thank you for going out of your way to help us minimize the risk to our customers as well as help us to improve the security of our products.