Here at Buildxact, we take security, and the privacy of our customer’s data very seriously. We believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.
If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. To proceed, you will need to navigate to this special link to sign up for a free trial. This will help us identify that the trial is created to search for security issues in our product.
Our Responsible Disclosure programme is managed by Bugcrowd as a points-only programme (monetary rewards are no longer paid).
Are you a Buildxact user? Have you found a bug?
If you are a Buildxact user and have found a bug in our software or any of our tools, please DO NOT report it using this process. This page is for security vulnerabilities only. For any issues relating to the functionality of Buildxact software, please visit here: https://merchant.buildxact.co.nz/support/
- If you are not an existing user, set up a Free Trial by clicking this special link so we can identify that the trial was created to search for security issues.
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of Buildxact, and the account holder.
- When reviewing your report, our decision is final as to whether we consider your report to be a security issue or not.
We’d like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Buildxact staff or contractors
- Any physical attempts against Buildxact property or data centres
How to submit a report
Fill in the form at the bottom of this page to submit your report.
Bear in mind that:
- We do not consider the following the following to be security issues, so please do not report any of the following:
- Ability to sign up for multiple trial accounts
- Ability to sign up for a new trial after ending your first one
- EXIF metadata not being stripped
- Ability to upload PHP files (our system does not run PHP)
- Any other business logic issue that does not represent a security vulnerability
- You must have set up a Free Trial account using this special link so we can identify it as an Ethical Hacking account.
- We run four localised versions of our WordPress site on four different domains. These are considered a single codebase, and if an issue is reported on one of them, we will consider it a duplicate if the same issue is reported on another one.
- Currently we do not publish a list of known security issues. It may be that an issue that you report is already known to us; if this happens, you may not be eligible for Bugcrowd points.
Bugcrowd will action your submissions and start working with us and you within 3 business days. Once submissions are validated and triaged by Bugcrowd we commit to accepting/reaching out on those within 5 business days of triage.
Buildxact used to offer a monetary bug bounty programme. However, we no longer offer monetary rewards, instead we now participate in Bugcrowd’s points-based programme
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorised in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at anytime you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.
Thank you for helping keep Buildxact and our users safe!