Coordinated Vulnerability Disclosure (CVD) Policy
Keeping user information safe is a top priority and a core company value for us at Smallpdf. We always welcome the contribution of external security researchers who put our security to the test. If you believe you have found a security vulnerability that might affect our users, please let us know right away via firstname.lastname@example.org
. We will investigate all reports and do our best to quickly fix valid issues.
Applications in Scope
In Scope for this Policy are the domain smallpdf.com with all its servers and services, the Smallpdf Desktop application, and the Smallpdf mobile applications (Android and iOS).
To encourage the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
- Share the security issue with us in detail;
- Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners are explicitly out of scope;
- Give us a reasonable time to respond to the issue before making any information about it public. We are committed to patching vulnerabilities within 90 days or less, but we may request additional time to address an issue when appropriate, usually in cases where a third party is involved and a coordinated response is required;
- Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
- Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Smallpdf;
- Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
- Otherwise comply with all applicable laws.
While we encourage any submission affecting the security of Smallpdf, unless evidence is provided demonstrating exploitability, the following examples are considered out-of-scope:
- Attacks that require physical access to a user’s device;
- Reports from automated tools or scans;
- Reports of spam (i.e., any report involving ability to send emails without rate limits);
- Any report that discusses how you can learn whether a given username, email address has a Smallpdf account;
- Any circumvention of our limitations;
- Being able to upload files with wrong file type;
- Social engineering of Smallpdf employees or contractors;
- Any physical attempts against Smallpdf property or data centers.
Consequences of Complying with This Policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with this policy, Smallpdf will take steps to make it known that your actions were conducted in compliance with this policy.