= accelerating global growth and advancing the future of regulatory compliance for financial firms. Learn More

Security & Vulnerability Disclosure Policy

Security & Vulnerability Disclosure Policy

Comply Technologies, Inc. and its subsidiaries and affiliates (collectively, “Comply”) are committed to ensuring the security and privacy of the information we stored in our systems. Accordingly, maintaining the security of our network and the data we hold is important to us. This policy should be followed for reporting vulnerabilities and any security issues in Comply’s websites, platforms, and applications

Comply’s security team is committed to investigating any issues reported to us from the security community. This policy is intended to provide clear guidance on Comply expects the security community to conduct vulnerability discovery activities and submit any findings to us. Reported issues may require further investigation by our support and development teams, and any fixes will be prioritized according to our vulnerability and patching strategy, and incident response procedures, where relevant.

By submitting a report, you are committing to the terms of this policy and your good faith efforts to following it.

Research Guidelines:

Do:

  • Communicate information about potential security vulnerabilities in a responsible manner.   This means complying with all applicable laws and respecting the privacy of individuals. Your security research should also avoid degradation the experience of any users and/or visitors to our websites, platforms, or services, disruption to systems, and/or destruction or manipulation of data.
  • Only access data that is necessary to demonstrate a vulnerability.
  • Exercise caution when testing to avoid negative impacts to customers and the services they depend on.
  • Submit only evidence of bugs you have actually tested and found a problem. Please only report issues that are very clearly security problems. If in doubt, don’t submit it.

 

Do not:

  • Target, social engineer, phish, or attach any of our customers, suppliers, employees, contractors, or users, or violate their privacy.
  • Perform tests that could disrupt services provided by Comply.
  • Manipulate or change any data on our systems or services.
  • Disrupt our systems or services by using high-intensity or destructive scanning tools or attempt Denial of Service (DoS or DDoS) or any other tests that impair access to or damage a system or data.
  • Brute-force or guess credentials in order to gain access to systems.
  • Perform any testing designed to cause destruction of data, or the interruption or degradation of Comply services.
  • Use any automated tools of any kind. It disrupts our service and the bugs found by them will all be duplicates.
  • Submit generic reports about a “possible” security problem. We need specific attack vectors.
  • Send us “Security Best Practices” reports. We already know about these.
  • Harass us asking for rewards or bounties. We will offer you a bounty if your report is serious enough. We want to reward you for your work, but clicking a button on a tool you downloaded is not a way to get rewarded.

 

Out of Scope:

  • Our marketing site (www.comply.com) is not within the scope for testing. Any information provided with relation to that site will be treated as informational. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the applicable vendor. If you aren’t sure, please email securityreport@comply.com.
  • If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

Reporting a Vulnerability

If you believe you have found a security issue that meets the policy detailed above, please stop your test, and immediately send a report to us using securityreport@comply.com, and do not disclose this data to anyone else.

Please do not spam public or private email addresses you’ve found online.

A detailed technical description should be supplied including:

  • The website, IP, or specific page where the vulnerability can be seen.
  • Further information about the vulnerability, including its potential for exploitation and potential impact and/or consequences, if exploited.
  • Detailed steps to reproduce the vulnerability, including screenshots.
  • Researchers may submit reports anonymously. We may contact you to request clarification on reported security issues, or other technical details to aid in the accurate identification and/or remediation.

Reporting an Active Data Breach

If you suspect or have identified evidence of a live data breach please report it to our Privacy team at privacy@comply.com.