Vulnerability Disclosure Policy
Brand Promise
We’re reader-supported and may be paid when you visit links to partner sites. We don’t compare all products in the market, but we’re working on it!
We take the security of our customers' data very seriously. If you believe you've discovered a potential security vulnerability within one of our services or products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.
We appreciate the assistance and patience of security researchers and we are committed to reviewing all reports that are disclosed to us.
We will do our best to address each issue in a timely fashion, and request that you provide us with a reasonable timeframe to address the issue before public disclosure.
Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.
Policy Scope
We encourage you to conduct responsible security research on those of our products and services to which you have authorised access.
The following types of research are strictly prohibited:
- Accessing or attempting to access accounts or data that does not belong to you
- Any attempt to modify or destroy data
- Executing or attempting to execute a denial of service (DoS) attack
- Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages
- Conducting social engineering (including phishing) of "Finder" employees, contractors or customers or any other party
- Any physical attempts against our property or data centres, including (but not limited to) distribution facilities, offices
- Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party
- Testing third party websites, applications or services that integrate with our services or products
- Any activity that violates any law
The following vulnerability types are excluded from this Responsible Disclosure Program:
- Descriptive error messages such as stack traces, application or server errors
- HTTP 404 codes or pages, or other HTTP non-200 codes or pages
- Fingerprinting or banner disclosure on common and public services
- Disclosure of known public files or directories, such as robots.txt
- Clickjacking and other issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users, such as contact, login and logout forms
- Content spoofing
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- Lack of Secure or HTTPOnly flags on non-sensitive cookies
- Login or Forgot Password page brute force and account lockout not enforced
- OPTIONS HTTP method enabled
- Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc.
- HTTP or DNS cache poisoning
- Weak or insecure SSL cipher suites
- Self-XSS
Safe Harbour
To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability.
This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program.
In the event of any non-compliance, we reserve all of our legal rights.
If in doubt, please contact the "Finder" Security Team by sending an email to security@finder.com.
Communication Process - How to Report a Potential Security Vulnerability
You can responsibly disclose potential security vulnerabilities to the "Finder" Security Team by emailing security@finder.com.
Ensure that you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps.
Your email to us should contain:
- An explanation of the potential security vulnerability;
- A list of products and services that may be affected (where possible);
- Steps to reproduce the vulnerability;
- Proof-of-concept code (where applicable);
- The names of any test accounts you have created (where applicable); and
- Your contact information.
What happens next?
Once you have reported a potential security vulnerability, we will contact you within 72 hours with an initial response.
Going forward, we will keep you informed on our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.
We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, re-mediated or mitigated the potential security vulnerability.
Please note that we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities.
Any requests for monetary or other compensation will be deemed in violation of this Responsible Disclosure Program.
More guides on Finder
-
Finder’s RBA survey: 91% of experts confident the cash rate will rise
Homeowners can expect further hikes to their mortgage repayments, according to this month’s Finder RBA Cash Rate Survey.
-
Square Enix NFTs, metaverse, P2E and blockchain: Complete guide
What is president Yosuke Matsuda's stance on Square Enix NFTs and the company's future in blockchain gaming, metaverse and P2E?
-
New on Netflix, Prime Video, Disney Plus, Stan, BINGE, Foxtel and more in July 2022
Spoiler alert: Your July weekends are all booked.
-
Robinhood stock slumps as investors await Sam Bankman-Fried’s next move.
A day after a big rally on hope for a big deal, investors await the next moves from the brokerage and crypto billionaire Sam Bankman-Fried.
-
Tips for starting an SMSF in your 20s, 30s, 40s and 50s
SPONSORED: There are no age restrictions for an SMSF, but there are different considerations to take into account at each age.
-
6 profit-taking strategies for crypto investors
SPONSORED: Choosing the right time to take profit might feel like sorcery, but with some research, traders can develop their own personal strategy.
-
Three things Apple must do to stand out at WWDC 2022
Apple's WWDC keynote always gets lots of attention, but not always deservedly. Here's what I'd like to see Apple do to really stand out.
-
Ubisoft NFTs, metaverse, blockchain and Quartz: Complete guide
Will Ubisoft NFTs, called Digits, and a heavy investment into blockchain technology and P2E gaming backfire on this AAA developer?
-
Finder App Customer Research Terms and Conditions
These Terms and Conditions ("Terms") govern your participation in the Finder App Customer Research.
-
Here’s how crypto savings accounts are taking on the banks
SPONSORED: A new generation of fintechs are offering Australians more yield on their capital.