As a global leader in media as well as SaaS for publishing, The Current News embraces responsible software development norms. To support a healthy internet ecology, we are sharing our Vulnerability Disclosure Policy. This policy describes the submission process for security researchers wanting to share their findings with our engineering teams.

Our commitment to independent researchers:

To maintain confidentiality and exclusivity in the disclosure and remediation process
To strive to validate and remediate all serious findings in a timely manner
To respond clearly whenever remediation or validation efforts may be delayed
Our request:

As we promise confidentiality, we ask that researchers do the same. Please do not disclose information about shared findings without written permission from our team.
Provide detailed and clear reproduction steps (proof of concept) when sharing findings, so we may validate them in a timely manner.
Save time by paying close attention to the out-of-scope section below.
Include an email address with the submission, so we can reach out for technical clarifications and follow-up.
Out-of-scope:

Testing the physical security of our offices, employees, or equipment
Any non-web attacks such as social engineering or phishing
DoS/DDoS, or any other testing that may impact the operation of our systems
App or network scan reports, unvalidated test results, or “theoretical” findings
Access to, or modification of, any account that does not belong to the researcher
Testing which results in form or email spam, or unsolicited messages or alerts
Testing third party SaaS apps or services, except self-host, IaaS, or CDN assets
Defacing any assets, or doing anything that may result in brand damage
In-Scope Examples:

BOLAs/IDORs, OWASP API Top 10, multi-stage logic flaws, account enumerations and iteration flaws, XML injections, auth problems, cloud data leakages, critical software version flaws, provable RFIs/LFIs, upload exploits, WAF bypasses.