Responsible Disclosure Policy
Ready is committed to protecting the data that drives our marketplace. If you’re an independent security expert or researcher and believe you’ve discovered a security-related issue on our platform, we appreciate your help in disclosing the issue to us responsibly. Keep in mind, this is not a bug bounty program and we do not offer rewards or compensation for identifying issues. However, if you are the first researcher to report a confirmed vulnerability, we are happy to include your name in our Hall of Fame, unless you wish to remain anonymous.
Our Pledge to you
We are committed to working with you to verify and address any potential vulnerabilities that are reported to us. Additionally, we will not initiate legal action against you as long as you adhere, in good-faith, to responsible disclosure practices, including the processes and principles described herein.
Reporting a vulnerability
To report a security issue or vulnerability, send us an email to security-reports@compass.com. If you want to encrypt your message using PGP, our public key is available here. Please include a detailed description of the issue, how it was discovered, and steps we can take to reproduce what you have observed. A member of the Ready Product Security Team will review your email and contact you to collaborate on resolving the issue in a timely manner. Please refrain from sharing your report, or any communications relating to your report, with others while we work on implementing a patch. By submitting your report, you agree to treat the report as confidential for at least 90 days after submission.
Some principles to keep in mind
As you conduct your research we ask that you make a good faith effort to protect the privacy of our users and their data. To that end, please: Stop and notify us immediately if you encounter any sensitive information or Personally Identifiable Information (PII).
- Only view information to the extent required to identify the vulnerability and report the vulnerability directly to us. Refrain from saving and/or sharing information.