Ethos Public Vulnerability Disclosure Policy

The information in this section is intended for security researchers interested in reporting security vulnerabilities to the Ethos Information Security team.

Ethos strongly believes that collaboration with the security community is key to maintaining secure environments for our customers and staff. As such, if you believe you've discovered a security vulnerability on an Ethos information asset/application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private while we are working to analyze and resolve the underlying issues before any necessary disclosures are made.

In return, we will work to review reports we receive and respond in a timely manner. Ethos will not seek law enforcement remedies against you for identifying security issues, so long as you abide by applicable law and Ethos policies regarding reports, including: taking no actions which would compromise the safety or privacy of our customers or company data and/or destroy any sensitive data you might have gathered from Ethos as part of your research once the issues you identified are resolved or at any time upon request from Ethos.

Thanks for your help!

Vulnerability Program Scope & Rules

In Scope

We are primarily interested in hearing about the following vulnerability categories:

  • Sensitive Data Exposure - Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.
  • Bypass of controls used in the loan application process
  • Authentication or Session Management related issues
  • Remote Code Execution
  • Any clever vulnerabilities or unique issues that do not fall into explicit categories.

Out of Scope

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.

  • Denial of Service (DoS) - Either through network traffic, resources exhaustion or others.
  • User enumeration
  • Issues only present in old browsers/old plugins/end-of-life software browsers
  • Phishing or social engineering of Ethos employees, users or clients
  • Systems or issues that relate to third-party technology used by Ethos
  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
  • Any attack or vulnerability that hinges on a user’s computer being first compromised

Vulnerability Rewards

Our public program currently does not provide any monetary reward beyond Ethos’s eternal gratitude. At Ethos’s discretion, we may make exceptions to this policy for exceptional contributions (subject to the Legal Notices below).

Report a Security Vulnerability

Alternatively, please send us an email at security.talk@getethos.com and provide as much information as you can regarding the vulnerability. The following type of information will be particularly helpful for us:

  • Summary of the vulnerability
  • Type and severity
  • Any proof of concept and remediation options you see fit

Legal Notices

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary program. We reserve the right to cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion.

Lastly, your testing must not violate any law.