Vulnerability Disclosure Policy

The security and safety of our customers' data are of utmost importance to Rox. We value contributions from our community that help us identify and address vulnerabilities in our products and services.

How to Report an Issue

If you've discovered a security vulnerability, please send an email to security@rox.com with the following information:

• A summary of the vulnerability and its potential impact.

• Detailed steps to reproduce the issue, including screenshots.

• Your environment details, such as operating system, browser, and device.

• If possible, proof-of-concept code that demonstrates the exploit.

We will investigate the issue, keep you informed of our progress, and may reach out for further details if necessary.

Recognition

We deeply value the efforts of researchers and community members who help keep Rox secure. While we do not currently operate a paid bug bounty program, we are committed to acknowledging meaningful contributions. With your permission, we are happy to publicly credit researchers who report valid, previously unknown vulnerabilities that materially improve the security of our services.

Covered properties

run.rox.com

Eligible vulnerability classes

Any bug that meaningfully impacts the security of Rox or our customers may be eligible. It is at Rox's discretion to decide whether a report qualifies. Examples include:

• Remote Code Execution

• SQL Injection

• Server-Side Request Forgery (SSRF)

• Cross-Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF)

• Authentication bypasses and privilege escalation

• Protection mechanism bypasses (CSRF bypass, etc.)

• Local or remote file inclusion

• Directory traversal

• Leakage of sensitive data

• Administration portals exposed without authentication

• Open redirects that allow stealing tokens or secrets

Out of Scope

Excluded properties

• non-production properties such as dev.rox.com, unless you have written approval from Rox

• Third-party hosted sites, unless the issue leads to a weakness on rox.com

Attack types we don't accept reports on

• Social engineering, spam, or phishing

• Brute force attacks

• Denial of Service or DDoS attacks

• Attacks requiring Man-in-the-Middle (MitM) positioning

• Attacks requiring physical access to a device

• Automated scanning that causes operational impact

Low-impact or informational findings

• Self-XSS

• Clickjacking on pages without sensitive actions

• CSRF on actions with minimal impact

• Open redirects without a meaningful security impact

• Cache poisoning without demonstrable impact

• Missing rate-limiting

• Application stack traces or path disclosures

• Missing security headers, version banners, and similar best-practice findings

• Incomplete or missing SPF, DMARC, or DKIM records

• HSTS not enabled on *.rox.com

• Vulnerabilities affecting outdated or unpatched browsers or operating systems

• Theoretical vulnerabilities without a demonstrable exploit

• Bugs without security implications

Reporting status

• Issues that are not reproducible

• Bugs already known to us or previously reported (recognition goes to the first reporter)

Vulnerability Disclosure Policy

When you report a vulnerability to us, we ask that you:

• Give us reasonable time to investigate and remediate the issue before disclosing it publicly or sharing details with anyone outside Rox.

• Act in good faith to avoid privacy violations and service disruption. Don't access or destroy data, and don't interrupt or degrade our services while testing.

• Stop at proof of concept. Once you've demonstrated the issue exists, don't escalate, i.e. no further data access, no probing for related weaknesses, and no exploitation of any kind.

• Stay within the law. Don't take any action that would violate applicable laws or regulations, including those governing unauthorized access to data.

• Treat all user and company data as off-limits. This policy does not authorize you to access personally identifiable information or any data relating to an identifiable person.

Guidelines & Rules

To participate in our program in good standing, please follow these rules:

• Residents of countries or regions under U.S. sanctions are not eligible to participate.

• Don't violate our Terms of Service. Unauthorized penetration testing is not permitted.

• Test only against accounts you own. Don't access, interact with, or disrupt accounts belonging to anyone else.

• Don't target our physical security, and don't use social engineering, spam, or DDoS techniques.

• If you uncover a vulnerability that grants system access, stop immediately and report what you've found. Do not go further.

• Keep your reports between you and us. Don't share findings or details with any third party.

• Treat your communications with our security team as confidential, and destroy any artifacts (proof-of-concept code, screenshots, recordings) once the report is closed.

• Please limit status update requests to roughly once a week. Frequent check-ins slow our response time for everyone.

• Rox decides how and when each issue is addressed.

• Threatening behavior, exploitation for personal or third-party benefit, or misuse of a discovered vulnerability will disqualify your report and remove you from the program.

Thank you for helping us keep Rox and our customers safe.If you choose the option to log in with or access third-party services in order to access or use Rox Data Corp’s applications (e.g. Google Services), we will automatically collect and store your user data from that third party. This may include: