Speedify Vulnerability Disclosure Program
At Connectify, security is one of the three pillars that all of our products are built upon. The Connectify security team encourages responsible reporting of any vulnerabilities that may be found in our site or applications. Connectify is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.
Reporting an Issue
If you believe you have found a vulnerability or security issue in Speedify or another Connectify product, we appreciate a report with the related details.
Each report should include the following fields:
- Title: a one line description of the vulnerability
- Summary: a brief description of the vulnerability and why it matters
- Impact: a description of how this issue will impact Speedify or its users
- Likelihood: A brief description of the probability that this threat event might occur
- Steps to Reproduce: a step-by-step walkthrough of how to reproduce this vulnerability with a PoC
- Recommendations: any advice on how this issue could be fixed or remediated
- References and notes: any reference links or side notes that you want to make about the vulnerability, this field is optional but will be welcome
To ensure security, such reports should be sent ENCRYPTED to security@connectify.me using our PGP key with the fingerprint: 0882 A6CA 0EC0 486A 9503 A80B 6742 1E86 02E2 0557
Connectify does not permit the following types of security research:
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively affect Speedify or its users (e.g. Spam, Brute Force, Denial of Service…)
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on Connectify personnel, property or data centers
- Social engineering any Connectify service desk, employee or contractor
- Violating any laws or breaching any agreements in order to discover vulnerabilities
Connectify Security Team Commitment:
We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Connectify security team and associated development organizations will use reasonable efforts to:
- Response: Respond in a timely manner, acknowledging receipt of your vulnerability report, expect a response within 2 business days
- Triage: Provide an estimated time frame for addressing the vulnerability report, this could take up to 10 business days from the initial submission
- Fix: Notify you when the vulnerability has been fixed
- Safe Harbor: We will not take any legal action against participating researchers who act in good faith by following the guidelines in this policy
We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Connectify.
We do acknowledge that it may in some cases take time before a release is made available. There are various reasons for that, which is related to vulnerability severity and how that is related to ongoing release work and how many products the issue may affect. This is not an attempt from us to delay a resolution but to ensure the required modifications have the proper quality, resolve the issue, and do not introduce regressions.
We thank you for being patient and for working with us towards a resolution.