Vulnerability Disclosure Policy

For guidance on reporting security vulnerabilities to Unstack Software LLC (DBA Block Sender), please refer to this policy, which should be read in the context of the Block Sender Terms of Use.

If you have found a vulnerability on of the Block Sender products (i.e. dashboard, API, Chrome extension, etc.), we encourage you to submit your report to us as soon as possible and to not make the vulnerability public until it has been fixed and verified by Block Sender.

While we greatly appreciate vulnerability disclosures from the community, no compensation will be given.

Block Sender will not file a lawsuit against you or report you to law enforcement assuming the vulnerability was reported responsibly and that it meets the following criteria.

Disclosure Guide

  • Notify Block Sender of the vulnerability and provide all of the details available to you.
  • Please provide enough detail to be able to fully identify and reproduce the issue, which may include the product, version, URL, requests/responses, screenshots, etc.
  • Provide Block Sender with a reasonable time period to fix or address the issue before publicly disclosing.
  • In your research, please avoid any possible service disruption, accessing private user data, or destroying user data.
  • Do not submit reports from automated exploit scanning tools without first confirming the issue is in fact present.
  • Do not contact Block Sender employees or users for the purpose of phishing or social engineering.

Categories to Look for Vulnerabilities

We are primarily interested in hearing about the following vulnerability categories:

We encourage you to look for vulnerabilities in the following areas:

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Authentication related issues
  • Authorization related issues
  • Redirection Attacks
  • Remote Code Execution
  • Data Exposure

Vulnerability Categories that are Out of Scope

The following categories are considered out of scope and should not be explored during your vulnerability research:

  • Denial of Service (DoS)
  • SSL vulnerabilities (i.e. misconfiguration or version)
  • Brute force attacks
  • User enumeration
  • Misconfigured flags on non-sensitive cookies
  • Logout CSRF
  • Issues only present in deprecated browsers or plugins
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Vulnerabilities that require users to perform highly unlikely actions (i.e. disabling browser security features, sending an attacker critical info, etc.)

How to Report Vulnerabilities

Please email [email protected] to report security vulnerabilities to Block Sender and include "VULNERABILITY DISCLOSURE" in the email subject.

Research Participants

Thank you to the following users and researchers for participating in our Vulnerability Disclosure Program!