Swym Corporation is committed to ensuring the security of our systems and data. We value the role the security research community plays in helping us maintain a high level of security. This policy outlines our guidelines for security researchers reporting vulnerabilities to Swym.
Purpose
This policy aims to:
- Provide security researchers with clear guidelines for conducting vulnerability discovery activities.
- Define how to submit discovered vulnerabilities to Swym Corporation.
- Outline Swym Corporation's commitment to addressing reported vulnerabilities in a timely manner.
- Foster a collaborative relationship with the security research community.
Scope
This policy applies to the following Swym Corporation Applications:
This scope may be updated periodically as additional applications and services are added.
Authorization
Swym Corporation considers security research conducted in accordance with this policy to be authorized. We will not pursue legal action against individuals who:
- Conduct security research in good faith;
- Limit their testing to systems and applications within the defined scope;
- Avoid actions that would compromise data or service availability; and
- Comply with applicable laws and regulations.
Guidelines for Responsible Disclosure
We ask that security researchers adhere to the following guidelines:
- Conduct vulnerability research in good faith.
- Make reasonable efforts to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to verify a vulnerability. Do not use exploits to access data beyond what is necessary to describe the vulnerability.
- Testing must be limited to assets and accounts that you own or are explicitly authorized to test. Do not attempt to access, modify, or interact with data or systems belonging to other Swym merchants or users.
- Do not perform testing that results in excessive load on Swym Corporation or merchant systems. Rate-limited and non-intrusive testing methods must be used.
- Do not retain, copy, transmit, or share any sensitive data encountered during your testing. If any sensitive data is accessed unintentionally, cease testing immediately and report the incident without disclosing the data further.
- Any use of the vulnerability or derived data for personal, commercial, or reputational gain outside the responsible disclosure process is prohibited and will void any Safe Harbor protections.
- Do not intentionally access, download, or modify data belonging to others.
- Immediately stop testing and notify Swym if you encounter any of the following:
- Sensitive data, including personally identifiable information (PII), financial information, or trade secrets.
- Access to any system beyond what is required to prove the vulnerability.
- Keep any discovered vulnerabilities confidential until they have been resolved by Swym.
- Provide Swym Corporation with a reasonable timeframe to address the reported vulnerability before disclosing it publicly.
- Do not submit a high volume of low-quality reports.
Reporting a Vulnerability
To report a security vulnerability, please submit the following information to security-reporting@swymcorp.com :
- The subject line should be “Vulnerability Report: [Vulnerability Name or Description]“
- A clear and concise description of the vulnerability.
- The affected system or application and its version.
- Detailed steps to reproduce the vulnerability, including any necessary proof-of-concept (POC) code or screenshots.
- The potential impact of the vulnerability.
- Your contact information (name/pseudonym, email address). Please indicate if you wish to be credited for the discovery.
- Any suggested mitigation or remediation actions.
What to Expect from Swym Corporation
Swym Corporation will:
- Acknowledge receipt of your vulnerability report within 5 business days.
- Evaluate the vulnerability and determine its validity.
- Respond to your report with our findings and an estimated remediation timeline.
- Work to remediate the vulnerability in a timely manner.
- Keep you informed of the remediation progress.
- Publicly acknowledge your contribution, if you wish, after the vulnerability has been resolved.
- At this time, Swym does not offer monetary rewards for vulnerability reports. However, we are happy to recognize meaningful contributions through other means, including public acknowledgment.
Out-of-Scope Activities
The following activities are outside the scope of this policy and are not authorized:
- Conducting denial-of-service (DoS or DDoS) attacks.
- Social engineering, phishing, or any other attacks against Swym employees or users.
- Do not impersonate Swym Corporation staff, merchants, or users under any circumstances as part of your research
- Physical attacks against Swym facilities.
- Attempting to access third-party systems.
- Automated scanning of our systems without prior coordination.
- Testing of systems not explicitly listed in the "Scope" section.
- Violation of any applicable laws or regulations.
Legal Notice
This policy does not grant you permission to conduct security research that would otherwise be unlawful under the laws of any jurisdiction. Researchers are solely responsible for ensuring that their security research activities comply with all applicable laws. Swym Corporation reserves the right to modify this policy at any time.
Safe Harbor
Swym Corporation will not pursue legal action against individuals who conduct vulnerability research in accordance with this policy. If legal action is initiated by a third party against you for activities conducted in line with this policy, Swym will take reasonable steps to communicate that your actions were authorized and conducted in good faith under this policy.
Contact
If you have any questions about this policy, please contact us at security-reporting@swymcorp.com.
Thank you for helping us keep Swym Corporation secure.
