HELP

Security Vulnerability Reporting Policy

Stitcher believes the security research community provides a valuable service to society ensuring companies are held accountable for the privacy and security of information retained on its customers. We value the efforts put forth by this community and are committed to working collaboratively with security researchers to confirm, replicate, and respond to legitimate reported vulnerabilities. We encourage any security vulnerabilities identified by security researchers to notify us following our vulnerability disclosure process outlined below.

If you have identified a security vulnerability and would like to report it to us, please send an email to security@stitcher.com. Please be sure to include your name, contact information, and company name (if applicable). Please DO NOT include any vulnerability information in the initial email. We will respond to your email with an encrypted session to ensure the security and privacy of information sent and received. Any subsequent correspondence will be secured through encrypted channels and may include vulnerability details.

Responsible Disclosure Guidelines

We will investigate legitimate reports of security vulnerabilities and make an effort to resolve them as soon as reasonably possible. To show good faith and encourage responsible reporting and as long as you comply with our reasonable requests, we promise to not take legal action against you or enlist the assistance of law enforcement to investigate you if you follow our guidelines for responsible disclosure noted below:

  • Provide a detailed account of the vulnerability, including information necessary to replicate and confirm the vulnerability
  • Do not alter, view or retrieve data that does not belong to you
  • Avoid violating the privacy of others, destroying data and interrupting or degrading our services
  • Give us a reasonable amount of time to correct the vulnerability before making any information public

We will attempt to respond to your report within 1-2 business days of receiving it.