Upstream's Vulnerability Disclosure Policy (VDP)

In-Scope Assets

Primary Web and API Assets:

• *.upstream.auto (Main website and all subdomains)
• *.upstreamsecurity.com (Main website and all subdomains)
• *.upstreamsecurity.io (Application and all subdomains)
• *.upstream-c4.io (Application and all subdomains)

Cloud Infrastructure:

• Publicly reachable cloud instances and storage buckets owned by Upstream Security LTD’s.

Qualifying Vulnerabilities

• Injection Flaws: SQL Injection, Command Injection, etc.
• Authentication & Session Issues: Broken authentication, session hijacking, or bypasses.
• Cross-Site Scripting (XSS): Stored or Reflected XSS.
• Access Control: Insecure Direct Object References (IDOR) or privilege escalation.
• Sensitive Data Exposure: Unprotected API keys, PII leaks, or exposed credentials.
• Server-Side Request Forgery (SSRF).
• Prompt Injections: On Applications and Agents built by Upstream Security LTD’s

Out-of-Scope Assets & Activities

• Third-Party Services: Any services not owned by Upstream Security LTD (e.g., your AWS console, Azure Portal, GCP, Google Workspace, Gmail, Slack, login pages).
• Social Engineering: Phishing, Vishing, or Smishing attacks against Upstream Security LTD employees or customers.
• Physical Security: Attempts to access Upstream Security LTD offices or data centers.
• Denial of Service (DoS/DDoS): Any testing that degrades the performance or availability of services.
• Spamming: Sending high volumes of emails or automated form submissions.

Non-Qualifying Vulnerabilities

• Missing security headers (e.g., CSP, HSTS) that do not lead to a direct exploit.
• Rate limiting issues on non-critical forms.
• Username/Email enumeration on login pages.
• Vulnerabilities requiring an unlikely user interaction (e.g., “Self-XSS”).

“Safe Harbor” Statement

If you conduct your research and disclosure in accordance with this policy, we will consider your actions to be authorized, and we will not initiate legal action against you.