Responsible Disclosure Program

Published on February 5th, 2022

Roadie welcomes and encourages security research reports regarding vulnerabilities with our systems. We do not prosecute people who discover and report vulnerabilities to us responsibly and according to the below guidelines. We treat all reports seriously and with high priority.

Guidelines

  • Read the scope before you submit. Roadie.io and its subdomains, and the Intercom Messenger are not in scope. You may not get a response if you submit a bug from these domains.
  • Please avoid any privacy violations, degradations and disruption to our production systems during your testing. This includes any activity that has an impact to the availability of our systems.
  • Do not attempt to brute-force or spam our systems. Specifically, please avoid the use of automated vulnerability scanning tools.
  • Never exploit a vulnerability you discover to view data or alter data without authorization.
  • Please keep information disclosed confidential between yourself and Roadie, until we resolve the issue. We will make our best efforts to fix issues in a short timeframe.

Scope

The following assets are not in scope as part of our Responsible Disclosure Program:

  • Our marketing site on roadie.io and any subdomains of that domain.
  • Our mail servers or MX record setup
  • Our job board
  • Our public GitHub repositories, at RoadieHQ on GitHub or in other orgs we may own.

Vulnerability Submissions

Please report any security issues you find to [email protected]. If your submission contains any sensitive vulnerability information, please encrypt it using our PGP public key at the bottom of this page.

Please include the following in your submission:

  1. Your name and contact information
  2. Company name (if applicable)
  3. A detailed description of the potential vulnerability
  4. Exact steps to reproduce the issue, including any associated URL and parameters demonstrating the vulnerability.
  5. Any relevant details of your system’s configuration, such as any browser or user-agent information.
  6. Your IP address and Roadie account, to coordinate with our logs.

Reward

A reward may be awarded after verifying that the vulnerability is reproducible, unique, and has an impact to our customers. Each submission will be evaluated case-by-case. The decision and amount of the reward will be at our discretion.

Thank You

We want to make sure to sincerely thank you for your disclosing responsibly and working with us improve our security. We understand the work and talent you’ve put into finding these issues and appreciate you reaching out to us.

Our PGP Key

If you are submitting sensitive vulnerability information or wish to communicate with us privately about your concern, you can use the following PGP key to encrypt your message to us.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYf7tORYJKwYBBAHaRw8BAQdAqSBkuv2YWUwFIc0VJz8iriDjHE7rqJFyad0L
FzBVDcu0HURhdmlkIFR1aXRlIDxkYXZpZEByb2FkaWUuaW8+iJoEExYKAEIWIQSq
1fs1ITWbQWtT3ZRXhbIdG97UuwUCYf7tOQIbAwUJA8JnAAULCQgHAgMiAgEGFQoJ
CAsCBBYCAwECHgcCF4AACgkQV4WyHRve1LuhCAEA+u9pjHv5pmOAmcuVvcVb33Vl
7Zn2ecZDxxk7j9JKgwwBAKFrKGVC7nOyKutgsqanN7boIHQnvs/9Fv1LyR9LjX0K
uDgEYf7tORIKKwYBBAGXVQEFAQEHQIMk+C3xnC6VQ7KEyujSrcc47mrv+ik/XHW7
qWZF5wR2AwEIB4h+BBgWCgAmFiEEqtX7NSE1m0FrU92UV4WyHRve1LsFAmH+7TkC
GwwFCQPCZwAACgkQV4WyHRve1LvWtQD/SaQPauAUW1p6Tp47JVwDSGy2th1wcIeE
Vch0ReZI8twBALK7c/9mNouEf8cS/8G7QfXJ7bMiu1nveXQFUaicP24A
=cUvT
-----END PGP PUBLIC KEY BLOCK-----