QuickFile acknowledge that protection of customer data is a significant responsibility and demands our greatest vigilance. We therefore take the security of our systems extremely seriously, and we genuinely value the assistance of security researchers and others in the security community to assist in keeping our systems secure. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.
There are a couple of key requirements that we ask all security researchers to adhere to:
Vulnerabilities must not be publicly disclosed before QuickFile has been notified and sufficient time has been allowed for QuickFile to analyse, and where appropriate mitigate the vulnerability.
Do not use automated crawlers without first obtaining explicit consent from us. Any brute force techniques or actions that impose significant load on our servers are strictly prohibited.
Communication channels are kept open to allow effective collaboration.
We require that all security researchers:
Make every effort to avoid privacy violations, destruction of data or degradation of production systems.
Only use the identified communication channels to report vulnerabilities
Keep information about any vulnerability you’ve discovered confidential between yourself and QuickFile until we’ve had a minimum of 40 days to resolve the issue.
By following the above guidelines QuickFile undertake to work with you in a constructive manner and to prioritise our resources so that a fix can be put in place. If you are the first to report an issue that is “within scope” (see below) then we will publicly acknowledge your contributions and in some cases reward a bug bounty up to £200 (this is at the discretion of the management).
In Scope
https://www.quickfile.co.ukhttps://affinity.quickfile.co.uk- All web services within an account domain
https://*.quickfile.co.uk
Out of Scope
All services hosted by 3rd party providers including (but not limited to):
https://community.quickfile.co.ukhttps://status.quickfile.co.uk- Email issues relating to SMTP, SPF, DMARC and DKIM configurations.
- Other integrated services hosted by 3rd party companies.
Qualifying Security Bugs
A qualifying security bug can include any “in scope” vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorisation issues and clickjacking. You must be the first researcher to responsibly disclose the vulnerability and you must follow the responsible disclosure principles set out in this policy, which include giving us a reasonable amount of time to address the vulnerability. The reasonable amount of time will be agreed with you following the disclosure of the vulnerability.
What is not a qualifying vulnerability?
Each submission will be evaluated on a case-by-case basis, here is a list of some of the issues which don’t qualify as security vulnerabilities.
- Typographic or grammatical errors;
- UI and UX bugs;
- TLS/SSL related issues;
- Vulnerabilities related to dated browsers or plugins
- Content-Security Policies (CSP);
- Lack of secure flag on cookies;
- Account or item ID enumeration
- Security headers missing such as, but not limited to “content-type-options”, “X-XSS-Protection”;
- Issues that involve a malicious installed application on the client device;
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please email us on security@quickfile.co.uk. Please include the following details within your report:
- Description of the location (e.g. URL) and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability; and
- Your name and QuickFile account number (where applicable).