How to report
Email [email protected].
Please include enough detail for us to reproduce the issue:
a description, the affected URL or endpoint, the steps you
took, the result you saw, and any proof-of-concept output
that won’t expose another customer’s data.
Scope
The following are in scope for this policy:
foldr.com, www.foldr.com and the marketing site.- The Foldr SaaS application served from
app.foldr.com and customer subdomains under *.foldr.cloud. - The Foldr appliance shipped to self-hosted customers, current supported releases.
- Foldr desktop and mobile apps, current supported releases.
The following are out of scope:
- Findings on infrastructure operated by our sub-processors. Please report those to the relevant provider; the current sub-processor list is on the Trust Centre.
- Customer-controlled storage backends (Customer-operated SMB, FTP/SFTP, WebDAV, S3, Azure Blob, Dropbox, OneDrive, SharePoint, Google Drive, B2). Please report those to the system or service owner.
- Reports that rely on an attacker already having Foldr administrator access for the affected instance, unless they cross a documented permission boundary.
- Reports relying solely on missing security headers or weak configurations that have no demonstrated security impact.
- Volumetric or denial-of-service tests, traffic-flooding tests, automated scanning that triggers our rate limiters, and brute-force attempts. Please describe the issue rather than demonstrating it.
- Phishing or social-engineering attacks against Minnow IT staff or our customers.
- Self-XSS that requires the victim to paste content into the browser.
- Findings against unsupported releases. We will tell you what the current supported release is on request.
What we ask of you
- Give us a reasonable opportunity to investigate and remediate before disclosing the issue publicly. We aim for ninety days from acknowledgement, or a date we mutually agree.
- Do not access, modify, or delete data that does not belong to you. If a proof-of-concept exposes another customer’s data, stop and describe the issue rather than demonstrating it.
- Do not run automated scans against the production service without coordinating with us first.
- Comply with the UK Computer Misuse Act, the EU Cybercrime Directive, and any other law that applies to your activity.
What you can expect from us
- Acknowledgement of your report within five working days.
- An initial triage and severity assessment within ten working days.
- Status updates at least every two weeks while the report is open.
- Credit in our security advisory for the fix if you would like it, by name or pseudonym, once the issue is remediated. Tell us in your report which you prefer.
- No legal action against good-faith reporters who follow this policy. See “Safe harbour” below.
Safe harbour
We treat security research carried out in good faith and in
line with this policy as authorised conduct. We will not
pursue civil or criminal action against you, and will not
ask law enforcement or a third party to do so on our behalf,
for activities that comply with this policy. If a third
party brings legal action against you for research that
complied with this policy, we will make our authorisation
position clear to that party.
Safe harbour does not extend to access of customer data
beyond what is strictly necessary to demonstrate the issue,
to public disclosure ahead of remediation, or to use of any
finding for commercial gain or coercion. It does not waive
any obligation you owe a third party.
Bounty
We do not currently run a paid bug-bounty programme. We will
revisit this once we have a stable disclosure cadence; if you
believe a particular finding warrants a discretionary reward,
say so in your report and we will consider it case-by-case.
Coordinated disclosure with our sub-processors
Where a finding involves a sub-processor, we will coordinate
with that sub-processor before disclosure. Some
sub-processors operate their own bounty or disclosure
programmes; we will tell you when that is the case so you
can pursue parallel reporting if you want to.
Contact
Email: [email protected]
Post: Minnow IT Ltd, Bristol and Bath Science Park,
Dirac Crescent, Bristol, BS16 6TH, United Kingdom.
Minnow IT Ltd is registered in England and Wales (company number 07970411).
ICO registration number Z3317461.
