# Vulnerability Disclosure Policy We appreciate security researchers who help improve the security of Telenor Software Lab (TSL) products. If you have discovered a potential security vulnerability, we encourage you to report it responsibly. ## Responsible Disclosure - Report any potential security issues as soon as possible, and we will work to resolve them promptly. - Allow us a reasonable time to investigate and address the issue before publicly disclosing it. - Avoid privacy violations, data destruction, or service disruption. Only interact with your own accounts or those for which you have explicit permission. ## Safe Harbour Policy We will not take legal action against researchers who act in good faith and comply with this policy. Unauthorised access to data or services beyond what is necessary for verification is strictly prohibited. ## Products in Scope This policy applies to the Capture and Min Sky applications for iOS, Android, and web, along with their associated APIs and backends. **No other TSL or Telenor Group products are included**. ## Definition of a Vulnerability A vulnerability is any security weakness that could impact the **confidentiality, integrity, or availability** of our systems or data. We do **not** consider the following as vulnerabilities: - SPF/DMARC record configurations - Account policies (e.g., email verification, password complexity) - Lack of CSRF tokens unless affecting sensitive user actions - Login/logout CSRF - Attacks requiring physical access to a user's device - Missing security headers with no direct security impact - Self-XSS without a demonstrated attack vector - Host header injection without proof of data exfiltration - Use of known-vulnerable libraries without evidence of exploitability - Reports from automated scanners without manual validation - Spam-related issues (e.g., sending emails without rate limits) - Attacks relying on screen overlay permissions (e.g., tapjacking) - Issues affecting outdated browsers or platforms - Social engineering of TSL employees or contractors - Physical security concerns (e.g., office or data centre access) - Autocomplete attributes on non-sensitive web forms - Missing security flags on non-sensitive cookies - Weak SSL/TLS ciphers without a demonstrated attack - Exploits requiring rooted or jailbroken devices - Bypassing storage limits - Ability to upload files with incorrect extensions ## How to Report a Vulnerability Please report vulnerabilities via our [security.txt](/.well-known/security.txt). Your report should include: - Type of vulnerability (XSS, RCE, SQL Injection, etc.) - Impacted product and version (or URL for web-based issues) - Potential impact (data exposure, privilege escalation, etc.) - Step-by-step reproduction instructions - Proof-of-concept (if applicable) ## Response Timelines - Acknowledgement: Within **5 business days** of report submission. - Initial Assessment: Within **10 business days**, we will confirm if the issue is valid and in scope. - Resolution Timelines: - Critical issues: We aim to resolve within **30 days** - High/Medium issues: We aim to resolve within **60 days** - Low-severity issues: Resolution may take longer, with periodic updates. - We will keep you informed throughout the process and notify you when a fix is deployed. ## Recognition We may, at our discretion, offer recognition or rewards for valid vulnerability reports. Contributors may also be acknowledged in our [Security Hall of Fame](/security/halloffame.html).