Responsible Disclosure Policy

We take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and AirMap until we’ve had 90 days to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Scope

  • www.airmap.com
  • api.airmap.com
  • app.airmap.com

Out of scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include, but are not limited to:
  • Mapbox
  • Google Services (analytics, search)
  • Firebase
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive:
  • Personally identifiable information (PII)
  • Credit card holder data

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@airmap.com. Please include the following details with your report:
  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle and a link for recognition in our Hall of Fame.
If you’d like to encrypt the information, please use our PGP key below.
—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBFgFcLUBEADQXcKjc8NzGyqjk/QBIxES4JN6IFkM+5hdmwHZUfFZWq351n8r qli95jFc3ZGHFhxUQECJjvbDbsdHm4Wxsvomzrq+lwJVoYB8FHd39L34agYPCnI0 RuG7z4Hs0CXSwMca2tCZsynj+Yr8fs6gL/IwkQP3EWOXzH0xsorrgPjeCcZdi8iE UJPBbL4wBFHVVIDfZKUtuT6MfW33ivZo0A6s9nE/J7m6uc5cD4J6fC5T8Hoe7AS1 Lp1M/Yu2xj/Nc9muLCu7eAa8VvwJKf6Rcw8VCdU1w9US2qbt6cfYXm00mvMfjmzS xUNbE2hJ9ZYSH8gBi1bkYOsMchNIdAVqFlCoK+wcECFDmUcWsMq1/pc1QDEdPhs4 IAoK5DgVOWRwhvuFaAmifH2EJtt3X08aJvYkfvMLGDtALNroGpUC7LTOQGo7Qq95 d6CZPo5nv1wrnj7omLN3c77gCAdart9n6/K7cAc6ZH6unxiFjG73879mAHZ/3DSy lSzmsJJQTNMD5pZEhYi00Q8jpAwbtZtj3drDlMjrg6jFvWtcN3QG45LKRmbnh+9a vq96NGjjJfWyu6zLaCxE5GSJF58dFJjDz7aIxJ9LHhIy0HF8wANYWWcqL5dS5Eqi F0vb4aCs3++hJ2BJU8kJZnJhiEljTVcWW7iE0dhT4UhCVLdqT79STZPeLwARAQAB tCVBaXJNYXAgU2VjdXJpdHkgPHNlY3VyaXR5QGFpcm1hcC5jb20+iQI9BBMBCgAn BQJYBXC1AhsDBQkHhh+ABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJENnGzPXo Jj1FLfQQAMzy9sEextaIa8pnZqaHWKcjjuASDBCmdAZ3gOop0klGwglNmo//94Bx AFtq3EzqHfzQauMFMapeCwDPAjNiVRDV54prgxOQ5MqI873YgSmkXcD9fh0OeYEc gW6TFn9pW7Xn6eCZcqYD4sChw8y6vfa/Z9fBqrtouhTV/3s77Az37O2cnhlCjHC6 u0iAcHu+kY01vaAeH2YL5l5y8DLWOiqqKpBbUaI7+IvVjrPXy53Nt2Ra9FcXXC2Z X7h7ZfHQ9B9G3rktiv2oaBrjVNGqZn0o4ooZ2k9BuJf9HSE1eJ61kkpsaPEDD7yk q2jVA1tbnO6Fh4n7RibzHiEnwAvDfL+Se+9R7oMK+Q1e5qg2Manlzj14EO/k8ru+ s67Zo8NJZJOz/OR7LU3MqCa7fnX98MM0EyzuLFo3Os3O3brT7DnPO68AKrZryv/g 41tLloopjs7wtlcWec/j8KP6f2CkVTtn7A387Sy8R1tbN3MlJYmbgOShinww71iW mGUNQrHZslNBRpttNd/NByAjXlFPzZ8zhtXYRAvZLwjYS75l9baZQATWpRbNSuTs PJl3nqMIyJIY1rxSivQA4AiaaNIYMJ46g5/WL7HVuhBQhci3iEBlVzaw9VLR3cVK c92SqNU99sk9Cj42GKcgRWJh29aTbXWaQztH+ijHkWIZ2l7tWK2QuQINBFgFcLUB EACn8b+VDpIXMmX0N4+jVZZlnZhrB3xviQvLYs0UkL20apwok695v3GaaOMrKOVr vnyJR84+3vfIMiQNzZIedQgcSIwIBInNPRMIIwAaBhsbPODyTRANEh+jhPV5D6gZ NL4FgUOROJZcZ5anQgJQB/crvR8YhAHGQb1i1DL/iSzNWCkyzkNzuYK2nyMcve5h LSIwRGU1zIEExwgc2HXzkI5fyFe4AojmLA1sClinQJwt9gZgddcPx6Q3z1qwFsay 6O30tLiCcapehVncDsAtDOP9ALbrYtTEn+GnZjp7kgvs8WdvpstgYhwdzVOWucx0 7hkqdiN5Ew2yFpqUbMzt86vyBUHcLyS1u9jlg//ADU1lHi+lWZ5e9QP9MCdf+YAE CeXvabfbQ/ERYShm2h9u5TGHBL4Tt6qw9Abvh4k3ikM0R9puvSUVU9m8g8WEfaHO lv+3JBjR1XDvUSpGBFQlMk/r5u59SF8NFEILTxwv0KRl1z0OQjsKu6sZqr3C+g+/ TeQ+zvb8s/hlf6CKfKZLpgZkaDrEiDkUEAf0C3fcXo4dZ0jj22NRWH5sL3ScBU+u C1JVxNdugLAXgeRFe1R8uuEMSk6Z1m+MSyVDjj8woXvfGGM+2d9RAqdhQCB2qScD PDDgO5VybYl3opjLhr/G99z4dupCQFw+qEbgp0EAfHmMIQARAQABiQIlBBgBCgAP BQJYBXC1AhsMBQkHhh+AAAoJENnGzPXoJj1FTVQP/1za1yLflJq1sB+BHOhCKUl0 nTY86WDCTzOEE91bxBsaypQtenUUDcbzTn/fS7sFwAI4hgEn/0POCVIXxDIqE55/ NCMpcV4DU4OoL1r0846cHA/e0mCE6T97E0VyeAQ4p+WqA/RTkbxjlv8OXOsT3ooD srRULi8nkvG6H/dsfihRJ5xx8VGOKKR0dply7KXl4UyyX8Z2NdKfjiEdK4EXv3P4 v19AqOhBJj6fcenmng5p3mMkadm89ip6Rr4P0R03RR/s4fAvqYs2QrG4BzJLt9fg K/hOZE5xkCQiPUMctqGRV/OAmDz1ImtkqIyTcxKI0UMeAaC7+va3OWLaHGr9W1BT 2F0mXOGdtLXJcVA4s/ExQAQuKIUioWeH+cGNdIwjPvwbnCvqP1hhtVZ4Wv2EbuTW OGUjwLJCT9CpUnqtb6D1UpZbvdWoi/ieLNrIxOcnK155YMpc9XE32vAR/HUgGrJM Jo3CR/xwXrw/Id/fSRr0iv0Xu8pAp/hvT/wxDtU8Z82NwS24oKRnaGUwhASwRrKW tknOOJnlgVr2ywLhW1Q1EcCwFrk6hS/VxGvW2Ua3jhY11spSi7tIM4XXg8Miwrwt r2JhIvzI3dQxpY2B6jXlpbQEC0ZCJ2OgIefrek0AXjVnV+M34VCae2iQfwrFNgxv PHyiinhIRY15Edf+5Nl5 =Tbv9

—–END PGP PUBLIC KEY BLOCK—–