What is a Vulnerability Disclosure Program?

A Vulnerability Disclosure Program (VDP) is a formal process that allows security researchers to safely report security vulnerabilities they discover in a company's systems. It defines the scope of research, the rules of engagement, and how reports should be submitted.

What happens after I submit a report?

We will acknowledge your report as soon as possible and keep you informed as we investigate. Our security team will triage the issue, assess its impact, and work to remediate it. We appreciate your patience during this process.

Will I receive compensation for finding a vulnerability?

RosterElf does not offer financial compensation for vulnerability disclosures. However, all efforts to help make our platform more secure are greatly appreciated, especially high-quality or high-impact submissions.

What types of vulnerabilities are out of scope?

Out-of-scope vulnerability classes include missing web security headers, email server misconfiguration (SPF, DKIM, DMARC), security-related cookie flags, weak SSL ciphers, results from automated tooling, broken links, verbose error messages without significant impact, and issues related to robots.txt. See the full list in the Out-of-scope vulnerability types section above.

Are social engineering and phishing tests allowed?

No. Social engineering attacks, including phishing, are explicitly out of scope and considered potentially harmful to our platform, customers, and staff. Any such activity will not be covered by our safe harbour provisions.

Is my research protected by safe harbour?

Yes, provided you conduct research in good faith and in line with the terms set out in this program. We will not initiate or support legal action against you for accidental, good faith violations of this policy under applicable Australian law, including the Criminal Code Act 1995 (Cth) — Part 10.7.

SECURITY

Vulnerability Disclosure Program

Help us keep RosterElf secure. Report security vulnerabilities responsibly and we'll work with you to address them.

About our VDP

Welcome to RosterElf's Vulnerability Disclosure Program (VDP). We take the security of our platform seriously and value the work of security researchers who help us identify and address vulnerabilities responsibly.

Please read the information below carefully before disclosing a security issue to us. By participating in this program you agree to act in accordance with the terms set out here.

Out-of-scope activities

RosterElf considers the following activities either potentially harmful to the platform, or not helpful in securing our environment or applications:

Social engineering, including phishing
Network DoS/DDoS attacks
Brute-force attacks
Physical attacks
Any activity that modifies or destroys data

Out-of-scope vulnerability types

RosterElf considers the following vulnerability classes as out of scope:

Missing web security headers
Phishing-enablement issues (e.g. tabnabbing)
Email server misconfiguration (SPF, DKIM, DMARC)
No CSRF on logout button
Lack of CSP header and X-frame bypass
Security-related cookie flags
Wide SSL certificate scope
Weak SSL ciphers / insufficient TLS versions
Email template injection
Results from automated tooling
Broken links or redirects
Internal IP address disclosure
Minor infrastructure detail disclosure
Verbose error messages without significant impact
Insecure HTTP request methods
Issues related to unsupported browser versions
Issues related to robots.txt

Safe harbour

Provided you conduct vulnerability research in line with the terms set out here, we consider this research to be:

Authorised under applicable Australian law, including the Criminal Code Act 1995 (Cth) — Part 10.7 (Computer Offences), and we will not initiate or support legal action against you for accidental, good faith violations of this policy.
Exempt from restrictions in our terms of use or other relevant terms and conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy.
Lawful, helpful to the overall security of the internet, and conducted in good faith.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email us for clarification before proceeding.

Terms of service

Do not cause harm to RosterElf, its customers, shareholders, partners, or employees.
Do not engage in any act that may cause an outage or stop any of RosterElf's services.
Do not engage in illegal activities, and ensure compliance with all applicable national, international, federal, state, and local laws and regulations.
All activities performed must comply with the RosterElf terms and conditions, or any other relevant RosterElf terms.

Reward policy

RosterElf does not offer financial compensation for vulnerability disclosures. However, all efforts to help make RosterElf more secure are greatly appreciated, especially high-quality or high-impact submissions.

Report quality

If you would like to submit a vulnerability report that RosterElf is likely to assess as high quality, please consider including the following in your submission:

A thorough description of the issue, with clear and concise steps to reproduce.
A detailed summary of the impact of the vulnerability.
Clear proof of reliable reproduction of the vulnerability, such as screenshots, screen recordings, and so on.

How to report

To report a vulnerability, send an email to our security team. We will acknowledge your report as soon as possible and keep you informed as we investigate. Thank you for helping us keep RosterElf and our customers safe.

Report a vulnerability

Other policies

Review our other legal documents and policies

Terms and conditions

The legal agreement governing your use of RosterElf.

Privacy policy

How we collect, use, and protect your personal information.

Acceptable use policy

Guidelines for proper use of RosterElf services.

Elf AI terms of use

Terms for using our AI customer support chatbot.

Chat feature terms

Terms governing RosterElf's chat functionality.

HR Hub disclaimer

Terms for accessing HR Hub resources and templates.

FAQ

Frequently asked questions

A Vulnerability Disclosure Program (VDP) is a formal process that allows security researchers to safely report security vulnerabilities they discover in a company's systems. It defines the scope of research, the rules of engagement, and how reports should be submitted.
We will acknowledge your report as soon as possible and keep you informed as we investigate. Our security team will triage the issue, assess its impact, and work to remediate it. We appreciate your patience during this process.
RosterElf does not offer financial compensation for vulnerability disclosures. However, all efforts to help make our platform more secure are greatly appreciated, especially high-quality or high-impact submissions.

You appear to be visiting from the UK