At GiG we take the security of our products, projects and services seriously — committing ourselves to securing our source code, data, infrastructure, products, content and community members. Despite our hardest efforts, we understand and acknowledge that security vulnerabilities may still emerge; through the constant collaboration with public security researchers, we help further reduce our security exposure and maintain our security posture.
If you believe you have discovered a security vulnerability in any of GiG’s websites, products or services please follow the below procedure in order to ensure that the right information is communicated effectively.
If you are unsure whether or not what you discovered is a vulnerability, we encourage you to see if your discovery matches Microsoft’s Definition of a Security Vulnerability.
What we ask of you
Please do not report any security vulnerabilities through any public channels such as, but not limited to, social media networks, media networks or open-source repositories. If any information has been downloaded please refrain from downloading any further data or perform any actions that could exacerbate the issue leading to unintentional legal violations.
Reporting Security Issues
In order to raise a security vulnerability issue, please create a report to be sent via email to [email protected] and we will get back to you as soon as possible.
We will respond to any reports directly via email to request additional information and provide notifications on the status of the report on request.
If you would like to encrypt your message with PGP, you may send your public key followed by another email with the encrypted email body.
Report Format
Include the following details in order for us to better gauge the scope and impact of the finding. Keep in mind that the more information that is provided, the better.
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.);
- Full paths of source file(s) related to the manifestation of the issue;
- The location of the affected source code (tag/branch/commit or direct URL);
- Any special configuration required to reproduce the issue;
- Step-by-step instructions to reproduce the issue;
- Proof-of-concept or exploit code (if possible);
- Impact of the issue, including how an attacker might exploit the issue.
We currently require that all of our communication is to be kept in English.
Rewards
GiG does not currently have a bug bounty program however findings and reports are reviewed on a case-by-case basis and are subject to any type of reward.
Policy
Vulnerabilities reported to GiG will not undergo any form of coordinated vulnerability disclosure. At no point will vulnerabilities be disclosed publicly or given a public identifier (i.e. CVE) irrespective of the status of the vulnerability and the timeline given when it was reported.
As the reporter, public disclosure is not permitted unless explicit, written permission is provided by GiG for a specified report.
Feedback
This policy is designed to evolve and adapt over time. If you would like to provide any form of feedback or suggestions with regards to this policy you are more than welcome to do so! Simply send an email to [email protected] and we will get back to you.