Handrails

Vulnerability Disclosure Program

Last Updated: 15 November 2024

1. Introduction

Handrails welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

2. Systems in Scope

  • The www.handrails.ai and app.handrails.ai websites and infrastructure
  • Any public (internet-facing) infrastructure owned and operated by Handrails
    • e.g. CDN, firewalls, NAT gateways, S3 buckets
  • SSO vulnerabilities (both Handrails as IdP into third-party systems and vice versa)

3. Out-of-Scope

  • Attacks that are likely to degrade the Handrails service including:
    • Denial of Service (DoS or Distributed DoS) attacks
    • Brute force attacks
    • Spam
  • Attacks that are likely to corrupt or encrypt Handrails data
  • Social engineering or phishing attacks against Handrails employees or customers
  • Reports on non-compliance with best practices where no explicit vulnerability has been identified

4. Official Communication Channel

Contact us via email (security@handrails.ai) with a detailed report of the potential vulnerability.

The email should include as much of the following information as possible:

  • Your name and contact information
  • The type of vulnerability
  • Which system(s) are affected
  • Step by step instructions for reproducing
  • Screenshots and/or other evidence of the vulnerability

If the report contains sensitive or confidential information then please encrypt it with our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGc2ySsBEAC6l2e8lWAbry4utYKVFiJJVPE0mn697ZvY9PkeVHYQ3nc21K56 ZlDUCI7iysDE9rxvatPoYBZhUiSUusqPL0V/E4zzcqnbRtAvZagAh2HLcqwhnGNU COUvJhCHOS/DEiq0nWRWfungU7irbhcGy+IYErh//yZCLtK2afIg/5tMnDrImzn7 TRt14npvSqZkNlT9j9AzuUVDoQlVIEs7frwuJ0QnlIDbSFyS3mL3H26gHhmhIcCO FoICuKYUdtOKv08vkgZndJQB3MaixaAx8YoQVgUGXtwFP4o5iu8i3Y3925BPKZEE 8T4OHx2/eZ57WpOzVM4wSkw6txRguovGpXKZc0eirPdG14b3dfAnFYdZU2TYgg4K +MZ/7u1FjnobrWBksJ/2ON2cDA8gVdkYzEehoLAprKY+btluVpcO+G3NS29HolTG KTIlvrmz+0XfoDODk48lNNqBNicux6iZ99zhP5hEIs/vNHB0VbkGnofrxVSslNS6 Fs9ILQePj2SPqF/6yCNVl5XdLJUFeg/kitw0MEiwsQdwgqJ/jLwP9Xek57tVTgdD nyYb6n6E0ydo86qi0Kd6z45c8FDxZ4UObUOhjImBPX6g7mIoKGB118E8w33eLPAY VWqCAE4Q0XhL5YtdVMeRZ1bU1/5+SjYs5vCHYdm7riXb58v4aEjRym4SRQARAQAB tCJIYW5kb3ZlciBBSSA8c2VjdXJpdHlAaGFuZG92ZXIuYWk+iQJOBBMBCAA4FiEE 6oDZs1Ls+QlziyPfpG+2kOK0fakFAmc2ySsCGwMFCwkIBwIGFQoJCAsCBBYCAwEC HgECF4AACgkQpG+2kOK0falTQRAArJ+8lRHcjld+UysqpCV82pxfb3k+6RC8AlQu kzdcq4syBIvQmnah26LVIM5ydoeyxtzqR/qzE18RY0mcMWz/uCbjk+f6y3mpMtWW 8QqIGhto5vg+KtYHL7eyIhJqnaUIbEV6vJ36Ux0P0uwi37bJ1nRH9GLSCwUE+xak wkQUdQCe6XcV3kZAHhIB9bDv3OxKxs1oYO9frR8sT1pEF5HMkzQyaDIE2LXx8i5l jyMkSs7yNBW/2yzpbP3WmDRc0pKZ9JAMlw31Px1pEbLmKpPerdSvvDAwA+40ARvP Gey7TkMLkkMvFBAWqWWxeedIGj2/I84SmwLgY6fvuGklbBnU6wOQDoGOEvD81EgN 4C6hNm9G2OQBtORP9hglGHDM2jSbD3ff1zFTUSXw+F5WzycSBXodZ20h/DAojNBo mgeVPwp8uXzhe69o0mZCOhprk0F2vKAR8pnZ299WHh6YbhsqM5cetu8YLn054diW IQkKW8M2N+JgexLQ1fsPgQrOG7I1NtYhvZ8n3Wuz0EADVeJsAVjjAr9h5oZlbdYg 6o0Azu2g1CvOPwbRMw80PFzXDLowcy3thchWcJ8b1azbBOkqv/QfOh0gepLIOA3C sGNa2eeVN+jQkDVRCZExORsM7uCcpmn3kcInVt/ERe4B3w9/sQli7Cb1C7F5+xGB SFt2unm5Ag0EZzbJKwEQALjzSmBXQuxYyKmGZ/oAxaT38Cr3GpbET7F3nfKPcoHc qMi2ZDantj4gdsIFjTPkbBMn1Nj/3hcwUDDHSENHLOI4W291vkc4mkJgx7w/XREk Ea0sTp1ehi1bWmzivQOw+WyigwA2wnVvkgNciC2DvjxD31HaIi0SlOZMRPXC1flQ nLHjwX96WuGlYhiwvQ7N+6q3DRwrWEUT2OPCaWUoZ08mkY0EiH779XJc1vh3BGG/ GIWcl4aFSKq4ScFOEHBFADX2CrS0wGSZQIUvZPZPBrksfhu7gtWGJiIForsVNYgT nSUB8uW4iBgiFjthDZUPKbmLgh6DqMLBE36UJugycbc9r9R8bAU9EkUuQPCR1HlZ Dtb/wGoINpum1A090FsUb7rHtY+Tuj4mGUyc21xrCL229jKZel5pBjfk9zuxhJn2 LqTJwzORSC1wDOKg4vPnqP42ONCB9QU25Mu6EgGS+eU8LmozZOi9aPMu5kFbAEfq juHOcEFuXJeSe6wDKVNusuUKuG9N40piRuoFmM/HO4PMmLONF6mo4Hsdad1x1qhY +PBj6Q+l6sdj1jJ1cmgij2aSKRizqL7Q1F/PdHW9pAdFXP+GXf0QX6InIpeHj1+d fUIL5DTN1IEzG6pJPI1l9nrXAJlia0D3yNBohUxurWmHwTCe8MbtPXRKULKsTSfz ABEBAAGJAjYEGAEIACAWIQTqgNmzUuz5CXOLI9+kb7aQ4rR9qQUCZzbJKwIbDAAK CRCkb7aQ4rR9qTFqEACXmjWtKHr/rPhdE+YjiRleOcOYH7iN6eAK+++NdZWbykc6 v1d9AcJbOUZfqilqgQw65WEwj8C6sq6lc9lBpJapCU3OxmVaeBouwd/NYcBjY4BF jNos9x2uT93ucveXC6m2z/Hisiuhdjw1FQDI672Bh3uGoJb3UIH2yfh2BeJZxs9V d5A/olOso1DNOBF5/xPSC6JhybHHb2MCJNudKvkxrNFLZAhmOsAqBvsF6h+8pN2J 07AXk3YqhBFxGt3eEyjy7ubl0Ss4I06CmUvp23tvboWU9UsfzxctB9yQMWw2BQKK NMTKfqTznOEUe2fvp9MXbGqEeXBNzJdWrw9vIazfI+ke33z+xIGdiW9C6LAGpPAk WtCVFIW1FH4luOpJo6zYLfG2jh5XZmTQP/aDhOWvmHgAnRAjq+DgpJhYVihMhViH YDKLDQeRY2NJfsF0nvaY/w3rc1ZlQFw+E3vlDSDt4ErcFFf+F7HHtdVe7crA1FCs JuiaUebKOCq0fTQsUAjm4kNj9rDekZ5gveCvYLT9FWJTDwtNzfUIXruitTIvenzP zeLf/cX+JiWR/XVdazvreEyaztAk4buqfSDk+KMhCI5iKnaDas15ewanuAOkoSDM 4LUXv3CdPkLEVX04J/wXCbe0e3/VS8+tP7aok/Yf+/oqTY14DQoQIwNaqJjOWw== =dkZo -----END PGP PUBLIC KEY BLOCK-----

5. Disclosure Policy

Due to the sensitive nature of our data and our commitment to our customers' privacy we do not permit public disclosures under any circumstances.

6. Rewards

Handrails does not currently offer rewards to vulnerability reporters. Check back for updates though as this is under review and has the potential to change.

7. Expectations

When working with us according to this policy, you can expect us to:

  • Extend Safe Harbor for your vulnerability research that is related to this policy;
  • Work with you to understand and validate your report, including a timely initial response to the submission; and
  • Work to remediate discovered vulnerabilities in a timely manner

8. Ground Rules

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:

  • Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Use only the Official Channels to discuss vulnerability information with us;
  • Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

9. Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.