HomeSecurity

Security

REA Responsible Disclosure Policy

Online safety and security are of utmost importance at REA and we value the work undertaken by the research community。 This policy outlines how to responsibly disclose security defects or vulnerabilities affecting REA products and services。

Guideline

The identification and disclosure of security vulnerabilities helps REA to protect the safety and privacy of everyone using REA’s services.

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of REA data during testing;
  • Perform research only within the limits of scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about the discovery of any defects or vulnerabilities confidential between yourself and REA until sufficient time has passed to resolve the matter, but no less than 90 days from the date of notification of the vulnerability to REA.

Provided that you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue legal action related to your discovery and reporting of the vulnerability (in relation to any non-compliance with these guidelines, we reserve all of our legal rights);
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 5 working days upon receipt of submission); and
  • Recognise your contribution on our Security Researcher Hall of Fame, if you are the first to report an issue that we have not already discovered and we make a code or configuration change based on your report.

Scope

This disclosure policy applies only to vulnerabilities in REA products and services:

  • which are original, previously unreported and not already discovered by internal procedures; and
  • for REA Group domains/subdomains which have a security.txt file in their root (i.e. http://<subdomain.domain.tld>/security.txt).

Out of scope

Third party providers and services are excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating);
  • Findings derived primarily as a result of social engineering (e.g. phishing, vishing);
  • Findings from an account that does not belong to you;
  • Findings from applications or systems not listed in the ‘Scope’ section;
  • UI and UX bugs including spelling mistakes; and
  • Network level Denial of Service (DoS/DDoS) vulnerabilities.

Things we do not want to receive:

  • Personally identifiable information (PII);
  • Credit card holder data;
  • Any other sensitive data as defined by the Australian Privacy Act; and
  • Reports indicating that our services do not fully align with “best practice” e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc.) or suboptimal email related configuration (SPF, DMARC etc.).

This policy is intended to align with all relevant legislative requirements and does not give you permission to breach any laws nor cause REA to breach any laws。

How to report a security vulnerability?

If you believe you’ve identified a security defect or vulnerability in one of our products or platforms, please send it to us by emailing security-vulnerability@creativegraphicsplus.com

Your report must include the following details:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and,
  • Your name/handle and a link for recognition in our Hall of Fame.

足彩胜负14场By reporting a vulnerability disclosure to us you consent to us collecting your researching name and/or handle for the purpose of publishing your details in our responsible disclosure hall of fame. Our Privacy Policy further explains how we collect, use and disclose personal information and how to access, correct or complain about the handling of personal information.

(If you do not wish to have your details published, please let us know at time of disclosure。)

We request that you encrypt your report by using our PGP key and that you delete any data as soon as it is no longer reasonably required.

If you are unsure whether your actions are In line with our policy, please contact our security team for guidance on security-vulnerability@creativegraphicsplus.com.