We recommend reading this security document fully before you report any vulnerabilities. This helps ensure that you understand everything stated, and act in compliance with it.
If you have discovered something you believe to be an in-scope security vulnerability, please email peakperformers@geocodeapp.tech with the subject SECURITY.
Your report should provide a benign proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately and reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities.
This disclosure policy applies only to vulnerabilities in GeoCode project under the following conditions:
- ‘in scope’ vulnerabilities must be original, previously unreported, and not already discovered.
- volumetric vulnerabilities are not in scope - meaning that simply overwhelming a service with a high volume of requests is not in scope.
- reports of non-exploitable vulnerabilities, or reports indicating that our services do not fully align with “best practice” are not in scope.
- TLS configuration weaknesses are not in scope, for example “weak” cipher suite support or the presence of TLS1.0 support.
The following versions of the GeoCode project are still supported and vulnerability reports are still accepted. Please is the table that corresponds to the different applications versions.
| Version | Supported |
|---|---|
| 0.0 - beta | ❌ |
| 0.1 - beta | ✅ |
Peak Performers doesn't offer a paid bug bounty programme for the GeoCode Project. Peak Performers will try their best effort to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly.
Anyone who found a security vulnerability must not:
- disrupt the GeoCode project in any way or form.
- access unnecessary amounts of data, do not access more than needed to show a vulnerability.
- use high-intensity invasive or destructive technical security scanning tools to find vulnerabilities.
- violate the privacy of anyone involved with the GeoCode project.
- modify data in GeoCode systems or services which will affect another entity.
- disclose any vulnerabilities in GeoCode project to 3rd parties or the public.
- require monetary compensation to disclose any vulnerabilities.
- social engineer, ‘phish’ or physically attack Peak Performers or infrastructure.
This policy is designed to be compatible with common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the GeoCode project to be in breach of any of its legal obligations, including but not limited to (as updated from time to time):
- The Computer Misuse Act (1990)
- The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
- The Copyright, Designs and Patents Act (1988)
- The Official Secrets Act (1989)
Peak Performers affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on an GeoCode service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.