Responsible Security Bug Disclosure Policy
At Onfido, it is our mission to bring the world's legal identities safely online by verifying identities and carrying out checks related to those identities (our "Identity Services"). It is paramount how we secure and protect the information we collect and use when accomplishing this mission. To learn more about how we secure this information, please review the Guide to Security at Onfido.
The Onfido Security Team investigates reported security bugs as fast as possible. If you believe you have discovered a security bug in any of our applications or services please contact the Onfido Security Team at firstname.lastname@example.org with your responsible disclosure report and follow the security bug reporting requirements outlined in this policy (including using our optional PGP Key to encrypt your report). We ask that you do not publicly disclose any information about the potential security bug or the existence of said security bug until it has been addressed by Onfido. Typically this should not take longer than 30 days.
Generally we ask you to apply common sense when looking for security bugs in our systems and services. Keep in mind that you are accessing a production environment. We ask you to not perform any automated scans, checks and analysis or any type of (D)DoS or load testing against any Onfido system or service. Your activity must not violate any laws.
We do not operate a rewards program for reported security bugs, but we might decide to reward the responsible disclosure of a security bug on a case by case basis. Any kind of reward is entirely at our own discretion.
What is the security bug reporting process?
The following is an example run through of a responsible security bug report in an Onfido service.
Researcher identifies potential security bug in.
Researcher assembles a basic report containing the information outlined above and submits it via email to (optionally using our to encrypt the report).
The Security Team will review the report, verify the reported security bug and respond with confirmation and/or further information requests; we typically reply within 24 hours.
Once the reported security bug has been addressed the Onfido Security Team will notify the Researcher.
(optional) Researcher can go ahead with public disclosure.
If you think you have identified a security vulnerability or bug in our Identity Services, please report it to the Onfido security team at email@example.com and as described in the Onfido Responsible Security Bug Disclosure Policy.
Which vulnerability reports do we review?
Every submission is reviewed by Onfido's Security Team, note that some of the reported issues may not qualify. We do not consider reports which do not include manual validation of the issue - such as reports based on the output generated by automated tools and scanners - or reports which describe theoretical attack flow without a valid proof of concept that demonstrate the exploitation. Attack vectors that require an exceeding amount of user interaction will be carefully reviewed but if the scenario is evaluated as too unrealistic, the submission will be rejected.
In addition, we consider to be excluded any vulnerability classes that is present in the list below:
Lack of security headers
Lack of cookie attributes
Social engineering (eg. phishing, self-xss)
Username / email enumeration (eg. via login page or forgot password form)
Banner, version or internal ip information disclosure
What should your report look like?
When you send us a responsible disclosure report please make sure it contains the information outlined below. This way we can speed up the verification and remediation process. It will also reduce the time it takes us to respond to your report.
Make sure the email subject clearly states that you are reporting a security bug. E.g.: [Security Bug Report for onfido.com ]
The email body should provide at least the following information:
Your preferred means of communication and a PGP key if you wish to receive encrypted emails. By default we will reply to the email address from which you sent the responsible disclosure report.
The type of security bug you are reporting. E.g.: XSS, CSRF, SQLi, RCE.
The systems/services/endpoints which are affected. E.g.: IPs, FQDNs, Deep-Links.
Any details you can provide, e.g. screenshots, screen recordings, http/s transaction logs, POC exploits (please do not share any evidence via unauthenticated file drops. Contact us first in order to agree on a way to securely share files > 15MB).
The date and time when you identified the security bug.
(optional) The time frame during which you tested our systems and services as well as the source IPs your requests have been sent from. This will help us train our intrusion detection and log analysis systems.
If you have any questions around our responsible disclosure policy or any general security question please drop us an email at firstname.lastname@example.org.