Our Commitment

Security of our users’ data is of utmost importance at JourneyApps. We welcome the disclosure of any vulnerability you may find in our platform.

We will treat each security report with the utmost seriousness. We commit to communicating promptly while we investigate the impact on our customers and will remediate the issue if deemed necessary.

We uphold the principles of Responsible Disclosure, including but not limited to:

• Make every effort to avoid accessing data of other users, and avoid disruption of our services.
• Keep within our Terms of Service.
• Avoid publicly disclosing any vulnerability until JourneyApps has had reasonable time to resolve or mitigate the issue.

Additionally, avoid any social engineering or phishing on our customers or employees, and do not physically access any of our properties.

If you follow the responsible disclosure guidelines, we commit to:

• Treat each report with the utmost seriousness.
• Communicate promptly, and work with you to understand and resolve the issue.

JourneyApps does not operate a bug bounty program at this time, but may choose to offer a reward for security reports at our discretion.

How to report an issue

Contact security@journeyapps.com with details on the issue.

Include at least the following information:

1. A description and severity of the issue.
2. Steps to reproduce the issue.
3. Any sensitive details that you may have accidentally accessed during the research.

If you plan to provide sensitive credentials or data in the report, please let us know, and we will provide you with a public GPG key for encryption.

What reports we are interested in

We are interested in any reports affecting the security of our platform.

Our customers may host applications on our platform, and these are not considered part of the platform. We may however choose to forward reports for these applications to the relevant customer. This includes any application hosted on the domains poweredbyjourney.com or onjourneyapps.com.

We are not interested in reports of:

• Common non-vulnerabilities, such as those listed here: https://sites.google.com/site/bughunteruniversity/nonvuln
• Issues that are not exploitable.
• Security best practice concerns. For example, issues pertaining to password policies such as password complexity, password reuse, etc.
• Results from automated scans.
• Social engineering or phishing attacks
• Extracting data using a compromised device or credentials.

Please reach out to us if anything is unclear.