Responsible Disclosure

Introduction

Purple WiFi greatly appreciates investigative work into security vulnerabilities which is carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community in order to ensure the confidentiality, integrity and availability of our customers’ data. This document aims to define a method by which Purple WiFi can work with the security research community to improve our online security.

Scope

This disclosure policy applies only to vulnerabilities in Purple WiFi websites and under the following conditions:

Only vulnerabilities which are original and previously unreported and not already discovered by internal procedures are in scope.

Currently only the below website domains are in scope:

  • https://*.purpleportal.net/*

The following website/domains are specifically out of scope:

  • *.purple.ai*

Vulnerabilities out of scope:

  • Volumetric vulnerabilities are not in scope (i.e. simply overwhelming our service with a high volume of requests is not in scope)
  • TLS configuration weaknesses (e.g. “weak” cipher suite support, TLS1.0 support etc.) are not in scope
  • Vulnerabilities in non-production environments
  • Reports directly from security scanners
  • Version number enumeration
  • DNS record configuration issues

This policy applies to everyone, including Purple WiFi staff and third-party suppliers.

Reporting a Vulnerability

If you have discovered an issue which you believe is an in-scope security vulnerability, please email the following details to security@purple.ai including:

  • Your name
  • The website or page in which the vulnerability exists
  • A brief description of the class (e.g. “XSS vulnerability”) of the vulnerability. Please avoid including any details which would allow reproduction of the issue at this stage. Detail will be requested subsequently, over encrypted communications. Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the policy and can act in compliance with it

Unfortunately, we are currently unable to offer a paid bug bounty program. However, we would like to offer reporters of qualifying vulnerabilities a written letter of recommendation as a token of our appreciation for dedication to protecting our data and that of our customers.

Guidance

Security researchers must not:

  • Access unnecessary amounts of data. For example, 2 or 3 records is enough to demonstrate most vulnerabilities (such as an enumeration or direct object reference vulnerability)
  • Reveal the problem to others until it has been resolved
  • Violate the privacy of Purple WiFi users, staff, contractors, systems etc. For example, by sharing, redistributing and/or not properly securing data retrieved from our systems or services
  • Communicate any vulnerabilities or associated details via methods not described in this policy or with anyone other than your dedicated Purple WiFi security contact
  • Modify data in our systems/services which is not your own
  • Take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data
  • Disrupt our service(s) and/or systems or
  • Disclose any vulnerabilities to 3rd parties/the public prior to the Purple WiFi confirming that the vulnerability has been mitigated or rectified
  • Retain data retrieved during research, for longer than it is required, and at most, no longer than 1 week after the vulnerability is resolved, whichever occurs soonest
  • Exceed a request per second (RPS) rate of one request per second is considered an acceptable rate. Do not cause any destruction of data on the services

In return, Purple WiFi promises to:

Respond to your report within 10 business days with our evaluation of the report and an expected resolution date, provide a key and necessary instructions for encrypted communications of the more sensitive pertinent details and materials. Please note that due to the ongoing pandemic we will endeavour to keep to these timeframes however it may not always be possible.

If you have followed the policy as defined on this page, we will not take any legal action against you in regard to the report if you:

  1. handle your report with strict confidentiality, and not pass on your personal details to third parties without our permission
  2. keep you informed of the progress towards resolving the problem
  3. in the public information concerning the problem reported, we will give your name or pseudonym as the discoverer of the problem (unless you desire otherwise)

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance (please do not include any sensitive information in the initial communications): security@purplewifi.com

Legalities

This policy is designed to be compatible with common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause Purple WiFi to be in breach of any of its legal obligations, including but not limited to:

  • The Computer Misuse Act (1990)
  • The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
  • The Copyright, Designs and Patents Act (1988)

Purple WiFi will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security vulnerability on an in-scope Purple WiFi service.

Feedback

If you wish to provide feedback or suggestions on this policy, please contact our security team on the address below:
security@purple.ai

This policy will evolve over time and your input will be valued to ensure that it is clear, complete and remains relevant.


Responsible Disclosure
Created on 08 June 2023
Last updated on 06 July 2023
© 2024 Purple. All Rights Reserved.