Vulnerability Disclosure Policy

If you believe you have discovered a security vulnerability on our website, platform, or mobile app, we encourage you to report it to us as soon as possible.

Please include the following in your report:

• A brief description of the vulnerability

• Step-by-step reproduction of the issue. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers. Reports lacking clear repro steps cannot be processed.

• Provide sufficient detail or proof-of-concept (PoC) code – use any format you like, but be sure we can reproduce the issue and gauge its impact. 

• Your contact information (optional, if you'd like updates)

Skip severity ratings – we’ll assign priority internally.

Submit your report to: [email protected]

Once we receive your report, it will be triaged by our security team. We aim to respond to all valid and accepted reports within 10 business days.If you believe you have discovered a security vulnerability on our website, platform, or mobile app, we encourage you to report it to us as soon as possible.

• If your report describes a vulnerability we are already aware of, or we determine that it does not constitute a security issue, we may choose not to respond..

• If additional information is needed, we will reach out to you directly.

• All submissions, regardless of their nature, are reviewed and routed appropriately.

• We are not obliged by law to pay you for every report sent.

We are interested in reports that identify vulnerabilities affecting the confidentiality, integrity, or availability of our services or user data. Examples include:

• Cross-Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF)

• Server-side code injection

• Authentication or authorization flaws

• Insecure direct object references

• SQL injection

• Explicit security misconfigurations

• Denial of service (DoS) attacks

• Clickjacking on pages with no sensitive actions

• Spam or social engineering techniques

• Sociotechnical attacks (phishing, spear-phishing, etc.) on Riverside employees

• Data Exfiltration

• Vulnerabilities requiring physical access to a user’s device

• Missing security headers (unless exploitable)

• Disclosure of known public files or directories

• Reports generated by automated scanning tools (turbo-intruder, fuzzes, etc.), which generate high traffic and may put a high load on our infrastructure

We ask that you:

• Avoid violating user privacy or accessing user data.

• Do not exploit a vulnerability beyond the extent necessary to prove it.

• Do not publicly disclose the issue or release information about vulnerabilities to people not connected to Riverside, as this information is Riverside’s confidential information

• Do not use social engineering, phishing, or physical attacks.

• Securely delete all data retrieved during your research as soon as it is no longer required.

Testing should never compromise the availability or integrity of our platform or services.

We are not going to take legal action against researchers who report vulnerabilities in good faith and adhere to this policy, as determined by us in our sole discretion. If your research and reporting align with these guidelines, we consider it authorized and will treat it accordingly.

We currently do not offer a bug bounty program or provide rewards for vulnerability submissions.

This Vulnerability Disclosure Policy may be updated at any time to reflect improvements in our security processes, compliance obligations, or threat landscape. Any changes will be posted on our website.

Questions regarding this Policy may be sent to [email protected].