Get started
Legal

Vulnerability Reporting Policy

Last revised: August 25, 2025

At Demand.com, Inc., safeguarding our technology and user data is a top priority. We actively encourage responsible security research and disclosure. This program sets out how researchers can report potential vulnerabilities while ensuring systems remain stable and users remain protected.

1. Disclosure Principles

  • No Data Tampering: Never view, alter, or delete information beyond what is required to demonstrate the issue.
  • No Service Impact: Do not perform actions that degrade service, affect availability, or compromise other users.
  • Evidence Required: Reports should include clear technical details, reproduction steps, and, when possible, proof-of-concept material.
  • Response Commitment: Demand.com strives to acknowledge receipt of valid reports within 72 hours and will maintain communication until resolution.

2. Systems in Scope

Security research should focus exclusively on Demand.com’s cloud-based infrastructure. Covered areas include:

  • Public-facing web applications and APIs managed by Demand.com
  • Corporate domains such as *.demand.com
  • Third-party-hosted infrastructure tied to our services
  • Cloud storage solutions where data is intentionally public (note: do not attempt bulk extraction of stored data)

3. Types of Issues We’re Looking For

We welcome findings that clearly demonstrate risk or potential misuse, including but not limited to:

  • Sensitive data leaks (e.g., PII, financial information)
  • Misconfigured cloud permissions
  • Remote Code Execution (RCE)
  • Injection vulnerabilities (SQL or similar)
  • Privilege escalation or bypass of access controls
  • Server-Side Request Forgery (SSRF)
  • Weaknesses in open-source components used by our platform
  • Cross-Site Scripting (XSS) with privacy or data impact

4. How to Submit a Report

Send all reports to security@demand.com using the subject line:
“Vulnerability Report — [Type of Vulnerability]”

Your report should include:

  • Your name and contact information
  • A clear summary of the vulnerability and its impact
  • Step-by-step instructions to reproduce the issue
  • Any supporting code, scripts, or screenshots
  • A CVSS-based severity rating (if available)

Acknowledgment will be provided within 72 hours of submission.

5. Recognition & Rewards

Demand.com deeply values community contributions to improving our security. At this time, we do not offer monetary rewards or bounties for submitted findings.

6. Legal Safe Harbor

Research performed in good faith within this program’s rules will be considered authorized by Demand.com, Inc. We will not pursue legal action against individuals acting responsibly and within scope. However, activities falling outside these guidelines may result in enforcement measures.