Introduction
At Updraft, the security of our platform and the protection of our customers' data is our top priority. We understand that despite our best efforts, vulnerabilities can exist. We value the role of independent security researchers and the community in helping us maintain the safety and reliability of our app distribution platform.
If you believe you have found a security vulnerability in Updraft, we encourage you to report it to us as quickly as possible. This policy outlines the steps for reporting vulnerabilities, what we expect from you, and what you can expect from us.
Authorization & Safe Harbor
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and Updraft will not recommend or pursue legal action related to your research.
As a Swiss-based company, we interpret activities that comply with this policy as authorized access under the Swiss Penal Code (specifically regarding Art. 143, Art. 143bis, Art. 144bis).
Scope
In-Scope
This policy applies to all digital assets owned, operated, or maintained by Updraft, specifically:
- ✓ *.getupdraft.com
- ✓ The Updraft mobile and desktop applications (iOS, Android, Windows, macOS)
- ✓ Our API endpoints
Out-of-Scope
- ✗ Third-party services or websites integrated with Updraft (e.g., payment providers, linked external tools). Vulnerabilities in these systems should be reported directly to the vendor.
- ✗ Volumetric or Denial of Service attacks (DoS/DDoS).
- ✗ Social engineering (including phishing) of our employees, customers, or contractors.
- ✗ Physical attacks against our offices, data centers, or infrastructure.
Rules of Engagement
To protect our users and systems, we ask that you:
1
Do not access, modify, or delete data that does not belong to you. If a vulnerability provides unintended access to data, limit your access to the minimum required to demonstrate the Proof of Concept (PoC).
2
Do not compromise the availability or reliability of our services (e.g., no brute force or heavy automated scanning).
3
Do not publicly disclose the vulnerability until we have resolved the issue and given permission to do so (Coordinated Vulnerability Disclosure).
4
Do interact only with test accounts you own or for which you have explicit permission.
How to Report
Please submit your findings via e-mail to support@getupdraft.com
Your report should include:
Description
A detailed description of the vulnerability and its potential impact.
Steps to Reproduce
Clear instructions, URLs, or screenshots that allow us to reproduce the issue.
Proof of Concept
Sample code or a video demonstration (if applicable).
Contact Info
Your name or pseudonym (if you wish to be recognized).
Our Commitment
When you report a vulnerability in accordance with this policy, we commit to:
- • Acknowledge receipt of your report within 3 business days.
- • Review and validate your findings in a timely manner.
- • Keep you informed of the progress as we resolve the issue.
- • Notify you when the vulnerability has been fixed.
- • Recognition: We will acknowledge your contribution (with your permission) if you are the first to report a unique, valid vulnerability that leads to a code or configuration change.
Legal Note
This policy is designed to be compatible with common vulnerability disclosure standards. However, it does not grant permission to violate any applicable laws. Updraft reserves the right to modify this policy at any time.