We welcome reports from security researchers on issues found in Scale Factory systems.

Out of scope:

• Software version or banner disclosures
• Self-XSS or CSRF on unauthenticated web forms
• Disclosure or discovery of known public files or directories (for example, robots.txt, simple DNS enumeration)
• Brute force attempts
• Account enumeration
• Email spoofing possibilities. Suggesting turning on SPF, DMARC, or DKIM isn’t welcome, though specific issues with those configurations are.

Contact

Contact the Scale Factory security team at security@scalefactory.com

If you wish, you can encrypt your message using our PGP key.

Please include the following details in your report:

• Detailed description of the issue, including the affected product/service and steps to reproduce the vulnerability
• Any technical details and proof-of-concepts that can help us identify and resolve the issue
• Details of the environments the issue was reproduced in
• Your name/handle and contact information (we will keep it confidential and only use it to correspond about this disclosure)

We ask that you:

• Report any vulnerability directly to us, and not attempt to exploit it for any purpose.
• Avoid publicly disclosing details about the vulnerability until we have had sufficient time to resolve it.
• Provide us a reasonable amount of time to resolve the issue before publicly disclosing it

Reward

While we value contributions to our security, we do not currently offer cash rewards or bounties for vulnerability reports. We may publicly acknowledge and credit researchers who comply with our policy, if desired.