AUDIOPOD, INC. SECURITY POLICY
Last Updated: December 2024
At AudioPod, Inc. ("Company", "we", "us", "our"), we take the security of our systems and user data seriously. We appreciate the security research community's efforts in helping us maintain a secure platform.
This policy describes how to report security vulnerabilities to us and what you can expect when you do.
Reporting Security Vulnerabilities
If you believe you have discovered a security vulnerability in our services, please report it to us as soon as possible. We welcome reports from security researchers, industry organizations, and the general public.
How to Report
What to Include in Your Report
Please provide as much information as possible, including:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Affected systems, URLs, or components
- Potential impact of the vulnerability
- Any proof-of-concept code or screenshots
- Your contact information for follow-up questions
Responsible Disclosure Guidelines
We ask that you:
- Give us reasonable time to investigate and address the vulnerability before making any public disclosure. We aim to respond within 72 hours and resolve critical issues within 90 days.
- Act in good faith to avoid privacy violations, data destruction, and interruption or degradation of our services.
- Do not access or modify data belonging to other users without explicit permission.
- Do not perform actions that could negatively impact other users, including denial of service attacks.
- Do not use automated tools that generate significant traffic or could disrupt our services.
- Only interact with accounts you own or have explicit permission to test.
In-Scope Vulnerabilities
We are particularly interested in:
- Authentication and authorization flaws
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection and other injection attacks
- Server-side request forgery (SSRF)
- Remote code execution
- Privilege escalation
- Sensitive data exposure
- Business logic vulnerabilities
- API security issues
Out of Scope
The following are generally out of scope:
- Denial of service (DoS/DDoS) attacks
- Social engineering attacks against our employees
- Physical attacks against our offices or data centers
- Spam or social engineering techniques
- Clickjacking on pages with no sensitive actions
- Missing security headers that don't lead to direct exploitation
- Issues in third-party services or applications
- Recently disclosed zero-day vulnerabilities (within 30 days)
- Vulnerabilities requiring unlikely user interaction
- Reports from automated tools without proof of exploitability
Our Commitment to You
When you report a vulnerability in good faith, we commit to:
- Acknowledge your report within 72 hours
- Keep you informed about the progress of our investigation
- Not pursue legal action against researchers who follow this policy
- Work with you to understand and resolve the issue quickly
- Credit you in our security acknowledgments page (if desired)
- Maintain confidentiality about your report until we've addressed the issue
Safe Harbor
When conducting vulnerability research according to this policy, we consider your research to be:
- Authorized under applicable anti-hacking laws
- Exempt from DMCA restrictions
- Lawful, helpful to the overall security of the Internet, and conducted in good faith
We will not initiate legal action against you for security research conducted in accordance with this policy. If legal action is initiated by a third party, we will take steps to make it known that your actions were conducted in compliance with this policy.
Security Measures
We implement industry-standard security measures including:
- TLS/SSL encryption for all data in transit
- Encryption at rest for sensitive data
- Regular security audits and penetration testing
- Multi-factor authentication options
- Role-based access controls
- Continuous monitoring and logging
- Incident response procedures
- Regular security training for employees