You may (and should) report security vulnerabilities found in the Pocket Congress iOS app, the Pocket Congress website, and any API endpoints used by Pocket Congress.
There are a few options to safely report a vulnerability:
- Report through GitHub: Create an advisory through the "Security" tab of the Pocket-Congress/Contribute GitHub repo. Please include a reply email for follow-up.
- Report by Email: Send an email to responsible-disclosure@pocketcongress.org. We do not support PGP-encrypted email.
In both cases, please include all relevant information including code, screenshots, and reproduction steps, as appropriate.
If you feel these methods are not secure enough, reach out to siddharth@pocketcongress.org and we will work with you to set up an alternate line of communication.
Caution
If you have discovered a security vulnerability, DO NOT open a GitHub Issue or post in any other publicly-available location. We request that you refrain from sharing your report with others while we fix the issue. Please check with us before self-disclosing.
If you aren't sure whether a system or endpoint is in scope or not, contact us via security-research@pocketcongress.org before starting your research.
The following test types are not authorized:
- Network denial of service (DoS or DDoS) tests.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
- Brute Force Attacks against login interfaces
If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately. Disclosure of the following may not be made to any third party:
- Personally identifiable information (PII)
- Financial information (e.g. credit card or bank account numbers)
- Proprietary information or trade secrets of companies of any party
You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
Pocket Congress does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.