Security Policy

Responsible Disclosure Policy

Our Commitment

At My Online Designer, we consider the security of our systems a top priority. However, no matter how much effort we put into system security, there can still be vulnerabilities present.

Reporting Vulnerabilities

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:

• E-mail your findings to info.myonlinedesigner@gmail.com
• Do not take advantage of the vulnerability or problem you have discovered
• Do not reveal the problem to others until it has been resolved
• Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties
• Do provide sufficient information to reproduce the problem so we can resolve it as quickly as possible

What we promise:

• We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date
• If you have followed the instructions above, we will not take any legal action against you in regard to the report
• We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
• We will keep you informed of the progress towards resolving the problem
• In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise)

Scope

This policy applies to any digital assets owned, operated, or maintained by My Online Designer, including:

• myonlinedesigner.com and all subdomains
• Our web applications and APIs
• Our cloud infrastructure
• Any client projects under our maintenance

Out of Scope

The following activities are out of scope for our vulnerability disclosure program:

• Clickjacking on pages with no sensitive actions
• CSRF on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Safe Harbor

We consider security research conducted under this policy to be:

• Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy
• Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls
• Exempt from restrictions in our Terms of Service that would interfere with conducting security research, and we waive those restrictions on a limited basis
• Lawful, helpful to the overall security of the Internet, and conducted in good faith

Recognition

We believe in recognizing the contributions of security researchers who help us keep our systems secure. With your permission, we will:

• Credit you in our security acknowledgments page
• Include your name (if desired) in any public statements about the fixed vulnerability
• Consider additional recognition for significant findings