Introduction

Gotedo is firmly committed to safeguarding our users’ information and upholding the security of our systems. This Vulnerability Disclosure Policy establishes clear guidelines for security researchers who wish to identify and disclose potential vulnerabilities. The policy explains:

  • Which systems and types of research fall under this policy,
  • How to share vulnerability reports with us, and
  • How long researchers are asked to wait before disclosing vulnerabilities publicly.

We encourage security researchers to report vulnerabilities in good faith. By working together, we can resolve issues promptly, maintaining the safety and trust of all Gotedo users. This policy reflects Gotedo’s commitment to responsible security research and our appreciation for the invaluable contributions researchers make to our security posture.

Authorization

If you make a good-faith effort to follow this policy during your security testing, we will treat your research as authorized. We will work collaboratively with you to investigate and address the issue as quickly as possible, and Gotedo will not pursue or recommend legal action related to your research activities under this policy.

Guidelines

Under this policy, “research” refers to activities in which you:

  • Notify us as soon as possible upon discovering a real or potential security issue.
  • Exercise caution to avoid privacy violations, degradation of user experience, disruption of production systems, or destruction or manipulation of data.
  • Use exploits only to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access or persistence, or to pivot to other systems.
  • Allow us a reasonable period to resolve the issue before disclosing it publicly.
  • Refrain from intentionally compromising the privacy, safety, intellectual property, or commercial/financial interests of Gotedo employees, users, or third parties.

If you discover that a vulnerability exposes any sensitive data - such as personally identifiable information, financial details, or proprietary information - you must cease testing immediately, notify us right away, and refrain from disclosing any of the exposed data to anyone else.

Scope

All systems and services under the domain gotedo.com and its sub-domains (**.gotedo.com) are in scope unless otherwise specified. Additionally, any website referencing this policy is also in scope. If you are unsure whether a system or endpoint is in scope, please contact [email protected] or consult the domain’s WHOIS security contact before starting your research.

While we maintain additional services outside this policy’s scope, we request that you limit active testing to the systems named here. If you believe a system outside this scope warrants testing, please reach out to discuss it with us first. We intend to expand the scope of this policy over time.

Rules of Engagement

Security researchers must NOT:

  • Test any system not listed in the Scope section.
  • Disclose vulnerability details outside of what is permitted in the Reporting a Vulnerability and Disclosure sections.
  • Engage in physical security testing of Gotedo facilities.
  • Engage in social engineering of Gotedo employees, contractors, or customers.
  • Send unsolicited electronic mail or phishing messages to Gotedo users.
  • Perform Denial of Service or Resource Exhaustion attacks.
  • Upload or distribute malicious software.
  • Conduct testing that significantly degrades, disrupts, or disables Gotedo services.
  • Attempt to test or compromise third-party applications, websites, or services that integrate with Gotedo.
  • Delete, alter, share, retain, or destroy Gotedo data, or render Gotedo data inaccessible.
  • Use an exploit to exfiltrate data, establish command line access, maintain persistence, or pivot to other Gotedo systems.

Security researchers MAY:

  • View or temporarily store Gotedo nonpublic data only if it is necessary to demonstrate the presence of a potential vulnerability.

Security researchers MUST:

  • Stop testing and notify us immediately if a vulnerability is discovered.
  • Stop testing and notify us immediately if nonpublic data has been exposed.
  • Delete all stored Gotedo nonpublic data upon reporting a vulnerability.

Reporting a Vulnerability

Please submit vulnerability reports to [email protected]. At this time, we accept reports in English and do not support PGP encryption. You may submit reports anonymously if you prefer.

We will use any information you provide solely for defensive purposes - namely, to investigate and remediate vulnerabilities. If your findings reveal newly discovered flaws that affect not just Gotedo but other services or products broadly, we may share your report with the National Vulnerability Database (NVD). We will not include your name or contact details without your express consent.

By submitting a vulnerability report, you acknowledge having read, understood, and agreed to the principles in this policy and you consent to Gotedo’s storage of your communication and any follow-up correspondence on a Gotedo system.

To help us triage and respond efficiently, please include:

  • A reference to the legal terms and conditions at Gotedo Terms of Service.
  • A clear description of the vulnerability, where it was found, and its potential security impact.
  • Detailed steps or a proof-of-concept illustrating how to reproduce the issue (relevant scripts or screenshots are encouraged).

Disclosure

Gotedo aims to address reported vulnerabilities swiftly. We also understand that disclosing a vulnerability prematurely - without a tested fix - can heighten risk. Therefore, we require that researchers wait 90 calendar days after receiving our initial acknowledgment before publicly sharing details of any discovered vulnerability. If you feel a broader community should be alerted before we have implemented a corrective fix, please coordinate with us beforehand.

We may share vulnerability information with the National Vulnerability Database or other affected vendors, but we will never share your personal details without your explicit approval.

Questions

If you have any questions or suggestions about this policy, please contact us at [email protected]. We welcome and appreciate your feedback.

Other Policies