Responsible Disclosure Program

Our program

At Blinq, we are committed to ensuring the security of our information, systems and services and value the role of security researchers in helping us mitigate cyber security risk.

If you believe you have discovered a suspected cyber threat or security issue that affects the confidentiality, integrity or availability of Blinq’s information, systems or services (“vulnerability”), please submit a report to our team via one of the methods below.

For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.

What’s not allowed?

While we encourage security research on our products and services, the following types of research are strictly prohibited:

  • Accessing or attempting to access accounts or information you are not authorised to
  • Any attempt to modify or destroy information
  • Sending or attempting to send unsolicited or unauthorised email or other type of message
  • Conducting social engineering (including phishing) of Blinq employees, contractors, customers or any other related party
  • Posting, transmitting, uploading, linking to, sending or storing malware that could impact our services, products or customers
  • Exfiltration, disclosure or use of any proprietary or confidential information or data of Blinq (including customer data) under any circumstances
  • Clickjacking
  • Any physical attempts against Blinq property
  • Weak or insecure SSL ciphers and certificates
  • Any attempts of a Denial of service (DoS)
  • Any activity or attempt to gain unauthorised access to Blinq software or systems in violation of law.

Blinq does not waive any rights or claims with respect to such activities.

Reporting a security issue

You can responsibly disclose suspected vulnerabilities to the Blinq Team by emailing [email protected].

To assist us in investigating your report, we recommend you follow the structure:

  • Affected product or service, including affected URL(s)
  • Your name and contact information (if you do not wish to provide your personal information, you may contact us anonymously, or by using a pseudonym)
  • Date, time and time zone of when the suspected vulnerability was discovered
  • IP address used when suspected vulnerability was discovered
  • Steps to reproduce the vulnerability

Next steps

Upon submitting your disclosure, you will receive confirmation that we’ve received it within 5 business days.

We will use the disclosure information you provide to enhance the security of our systems. We may also use the information in notifications to regulatory bodies, to comply with laws, and assist government or law enforcement agencies.

Privacy

If you have provided your personal information, we may contact you for more information to assist us with investigating your disclosure.

For more information about how we handle your personal information, you can refer to our Blinq Privacy Policy.

Recognition

Blinq does not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. However we are very grateful for any submissions and are happy to provide a document crediting the individual or organisation for the discovery.


Last updated: 18 August 2022.