Responsible Disclosure

Index is fully committed to keeping customer data safe and secure. We value any inputs from the community to help us detect vulnerabilities and further improve our security posture.

How to report an issue

If you believe you have found a security vulnerability, please send an email to security@index.inc with the following details:

  • A general description of the vulnerability
  • The URL where this vulnerability was found
  • The steps to reproduce the vulnerability, including screenshots or videos if relevant

What we expect from you

  • Do not execute a Denial of Service (DoS) attack.
  • Do not run any automated tools against our servers.
  • Do not access or modify any data that does not belong to you.
  • Do not publicly disclose the vulnerability until we have had a reasonable amount of time to fix it.

What you can expect from us

  • We will respond to your report within 24 hours.
  • We will perform our own risk assessment for every reported vulnerability.
  • If your report is not eligible, we will let you know.
  • If your report is valid, we will prioritize the issue and inform you once it has been fixed.
  • We will let you decide whether you want to be publicly acknowledged or not.

In scope

  • https://index.team
  • https://api.index.team
  • https://index.inc

Out of scope

  • Automated scanning
  • Social engineering
  • Password brute force
  • Clickjacking on pages with no sensitive actions
  • Missing security headers (unless you can demonstrate an exploit)
  • Security issues only reproducible under highly unlikely conditions (using outdated browsers, operating systems, or insecure internet connections)

Safe Harbour

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.