VULNERABILITY DISCLOSURE POLICY

We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. Note that any submission of potential vulnerabilities is voluntary and subject to terms and conditions delineated in this Policy. By submitting a finding, a researcher acknowledges reading and agreeing to this Policy.

This policy is intended to explain to customers what kind of situation is a vulnerability in the process of using our platform, so that customers can give us feedback on the vulnerabilities they encounter, to help us find and repair vulnerabilities, and optimize customers' experience of using our platform services.

Scope:

Website:https://www.piaproxy.com/, including the following subdomains:

show.piaproxy.com

checkout.piaproxy.com

account.piaproxy.com

Any service not expressly listed above, such as any connected and internal services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing be conducted only on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

Out-of-Scope Vulnerabilities:

Network-level Denial of Service attacks;

Application Denial of Service by locking user accounts;

Descriptive error messages or headers (e.g., Stack Traces, banner grabbing);

Disclosure of known public files or directories (e.g., robots.txt);

Outdated software/library versions;

OPTIONS/TRACE HTTP method enabled;

CSRF on logout;

CSRF on forms that are available to anonymous users;

Cookies that lack HTTP Only or Secure settings for non-sensitive data;

Self-XSS and issues exploitable only through Self-XSS;

Attacks requiring physical access to a user’s device;

Username enumeration based on login or forgot password pages;

Enforcement policies for brute force, rate limiting, or account lockout;

SSL/TLS best practices;

SSL attacks, such as BEAST, BREACH, or Renegotiation attack;

Clickjacking without additional details demonstrating a specific exploit;

Mail configuration issues including SPF, DKIM, DMARC settings;

Use of a known-vulnerable library without a description of an exploit specific to our implementation;

Password and account recovery policies;

Presence of autocomplete functionality in form fields;

Lack of email address verification during account registration or account invitation;

Lack of email address verification password restore;

Session control during email/password changes.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and PIA Proxy will not recommend or pursue legal action related to your research.

You are expected, as always, to comply with all applicable laws. If a third party initiates legal action against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Guidelines

Under this policy, “research” means activities in which you:

Notify us as soon as possible after you discover a real or potential security issue.

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.

Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.

You do not intentionally compromise the privacy or safety of PIA Proxy personnel, or any third parties.

You do not intentionally compromise the intellectual property or other commercial or financial interests of any PIA Proxy personnel or entities, or any third parties.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

Performing actions that may negatively affect PIA Proxy or its users (e.g., Spam, Brute Force, Denial of Service…).

Automated vulnerability scanners are strictly prohibited - we use them ourselves, so there is no need to send duplicates.

Automated testing is only permitted within the context of verification of an exploit and only at a reasonable amount and rate of around six requests per second or less.

Specialized custom scripts and fuzzing tools are still permitted, but please keep your traffic to six requests per second or less when using them.

Accessing, or attempting to access data or information that does not belong to you.

Destroying or corrupting, or attempting to destroy or corrupt data or information that does not belong to you.

Retaining any personally identifiable information discovered in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.

Any exploitation actions that go beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.

Conducting any kind of physical or electronic attack on PIA Proxy personnel or property.

Social engineering any PIA Proxy service desk, employee or contractor.

Require financial compensation in order to disclose any vulnerabilities outside of a declared policy (such as holding an organization to ransom).

How to report a vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing support@piaproxy.com.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and that any compensation or future reward related to your submission is solely at the discretion of PIA Proxy.

Disclosure

PIA Proxy is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.

Questions

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, or whether a system is in scope or not [or should be], or questions in general regarding this policy, please contact us at support@piaproxy.com before going any further. We also invite you to contact us with suggestions for improving this policy.

Effective date: July 2022