§1 Why read this?

Although our engineering team at By Miles makes every effort to keep data safe and secure, we value the work done by security researchers and invite them to study our systems across all supported platforms - helping us make it even safer for our customers and members. This policy explains how to notify us of a potential security vulnerability and in turn what you can expect from us.

§2 Responsible disclosure guidelines

If you are a security researcher and would like to report a security vulnerability with a By Miles system, please send a bug report email to vulnerability@bymiles.co.uk providing the following for each report:

• Your full name;
• Email address;
• Company name (if applicable);
• Bug description;
• Steps to reproduce the bug;
• Affected By Miles domain/subdomain;
• Affected URL/Endpoint/API;

We prioritise encypted reports so please include your PGP public key with these reports.

Download the By Miles Ltd PGP key.

We promise to investigate legitimate reports and in turn will make every effort to correct any vulnerability quickly. To participate we require you to follow our guidelines, responsible investigation and reporting includes, but is not limited to the following:

• As above, please provide details of the vulnerability, including a description, information needed to reproduce and validate the vulnerability and a Proof of Concept (PoC) if required;
• Do not violate the privacy of our customers, destroy or modify data, or disrupt or degrade our services;
• Do not target our physical security measures, or attempt to use social engineering, spam, or distributed denial of service (DDoS) attacks;
• If you find a severe vulnerability that allows system access, you must not proceed further;
• Exploiting or mis-using the vulnerability for your own or others benefit will automatically disqualify the report;
• Give us a reasonable time to correct the issue before making any information public;

In general, we request that you investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our customers. Otherwise your actions might be interpreted as an attack rather than an effort to be helpful.

We will attempt to respond to your report in 5 days, please allow us this time before sending another email on the matter.

§2 Hall of Fame

By Miles appreciates and recognises the contributions of security researchers. If you are the first researcher to report a vulnerability that we confirm we will send you some By Miles swag and agree to list your name in the By Miles Hall of Fame, unless you would prefer to remain anonymous. You must comply with our Responsible disclosure guidelines to be considered for the Hall of Fame and to receive swag.

• Sohail Ahmed
• Aman Mahendra
• Muhammad Asjad Sheikh
• Bulletproof Security
• Cyberis Limited

For particularly severe vulnerabilities, our security committee may make a discretionary cash award.