At Onfido, it is our mission to bring the world's legal identities safely online by verifying identities and carrying out checks related to those identities (our "Identity Services"). It is paramount how we secure and protect the information we collect and use when accomplishing this mission. To learn more about how we secure this information, please review the Guide to Security at Onfido.
The Onfido Security Team investigates reported security bugs as fast as possible. If you believe you have discovered a security bug in any of our applications or services please contact the Onfido Security Team at firstname.lastname@example.org with your responsible disclosure report and follow the security bug reporting requirements outlined in this policy (including using our optional PGP Key to encrypt your report). We ask that you do not publicly disclose any information about the potential security bug or the existence of said security bug until it has been addressed by Onfido. Typically this should not take longer than 30 days.
Generally we ask you to apply common sense when looking for security bugs in our systems and services. Keep in mind that you are accessing a production environment. We ask you to not perform any automated scans, checks and analysis or any type of (D)DoS or load testing against any Onfido system or service. Your activity must not violate any laws.
We do not operate a rewards program for reported security bugs, but we might decide to reward the responsible disclosure of a security bug on a case by case basis. Any kind of reward is entirely at our own discretion.
What is the security bug reporting process?
The following is an example run through of a responsible security bug report in an Onfido service.
- Researcher identifies potential security bug in onfido.com.
- Researcher assembles a basic report containing the information outlined above and submits it via email to email@example.com (optionally using our PGP Key to encrypt the report).
- The Security Team will review the report, verify the reported security bug and respond with confirmation and/or further information requests; we typically reply within 24 hours.
- Once the reported security bug has been addressed the Onfido Security Team will notify the Researcher.
- (optional) Researcher can go ahead with public disclosure.
If you think you have identified a security vulnerability or bug in our Identity Services, please report it to the Onfido security team at firstname.lastname@example.org and as described in the Onfido Responsible Security Bug Disclosure Policy.
What should your report look like?
When you send us a responsible disclosure report please make sure it contains the information outlined below. This way we can speed up the verification and remediation process. It will also reduce the time it takes us to respond to your report.
- Make sure the email subject clearly states that you are reporting a security bug. E.g.: [Security Bug Report for onfido.com ]
- The email body should provide at least the following information:
- Your preferred means of communication and a PGP key if you wish to receive encrypted emails. By default we will reply to the email address from which you sent the responsible disclosure report.
- The type of security bug you are reporting. E.g.: XSS, CSRF, SQLi, RCE.
- The systems/services/endpoints which are affected. E.g.: IPs, FQDNs, Deep-Links.
- Any details you can provide, e.g. screenshots, screen recordings, http/s transaction logs, POC exploits (please do not share any evidence via unauthenticated file drops. Contact us first in order to agree on a way to securely share files > 15MB).
- The date and time when you identified the security bug.
- (optional) The time frame during which you tested our systems and services as well as the source IPs your requests have been sent from. This will help us train our intrusion detection and log analysis systems.
If you have any questions around our responsible disclosure policy or any general security question please drop us an email at email@example.com.