Seznam Legal Safe Harbor

Seznam Security Policy

It is our mission to keep our users safe online by providing secure products to protect them and maintain their privacy. Responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our customers, partners and employees. If you find any indications of a vulnerability in any of our systems, we encourage you to disclose your discovery to us as quickly as possible in accordance with this Security Policy.

Expectations

• We will work with you to understand and validate your report, including a timely initial response to the submission,
• We will work to remediate discovered vulnerabilities in a timely manner,
• We will recognize your contribution and may reward you for high or critical issues reported to us.

Scope

The scope of this Security Policy includes services on domains owned by us. To determine if a domain falls under our ownership, please check the domain's holder in the whois database; if the holder is SEZNAM-CZ-AS Seznam.cz, a.s., it is included in our policy. Additionally, domains pointing to our IP ranges (2a02:0598::/32 for IPv6 and 77.75.72.0/20 for IPv4) are also within our scope. Please note that services hosted by third parties are not included.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be:

• Authorized in view of any applicable laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy, and we will not bring a claim against you for circumvention of technology controls,
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

By submitting any information, you are granting Seznam a perpetual, royalty-free and irrevocable right to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.

Contact

You may submit your report to the email address indicated in the security.txt. We encourage you to use PGP in any case.

Rules and guidelines

To avoid any confusion between legitimate research and malicious attack, we ask that you to:

• Handle the confidentiality of details of any discovered vulnerabilities according to our Security Policy,
• Play by the rules. This includes following this policy any other relevant agreements,
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience
• Use only the Official Channels to discuss vulnerability information with us,
• Report any vulnerability you have discovered promptly,
• Perform activities only on in-scope systems, and respect systems and activities which are out-of-scope,
• Once you have established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else,
• Do not engage in extortion,
• Do not submit a high volume of low-quality reports.

Prohibited activities

The following activities are prohibited:

• Denial of service (including resource-exhaustion, automated scanners with more than 10 requests per second, deleting data, fuzzing, etc),
• Spamming,
• Social engineering (including phishing, spear phishing, vishing, smishing),
• Physical access (including entering or surveilling properties),
• Attacking non-internet facing systems (internal networks, private IPs, workstations, etc),
• Installing persistent backdoors,
• Irreversible damage to systems and/or data corruption,
• Non-coordinated vulnerability disclosure.

Issues out of scope

Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this VDP, in particular:

• Findings from physical testing such as office access (e.g. open doors, tailgating),
• Findings derived primarily from social engineering (e.g. phishing, vishing),
• Findings from applications or systems not listed in the `Scope` section,
• UI and UX bugs and spelling mistakes,
• Network level Denial of Service (DoS/DDoS) vulnerabilities,
• Missing cookie flags and security headers,
• Form spamming.

We do not want to receive:

• Sensitive information, such as PII or financial information, is crucial. To determine the relevancy of a domain, check if it's owned by us or if it points to our IP ranges. Domains are constantly changing, so always refer to the whois database and our specified IP ranges for the most up-to-date information,
• Results from automated scanning tools.

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the organization or partner organizations to be in breach of any legal obligations.