April Responsible Disclosure Policy

Effective date: October 17, 2022

April continuously strives to ensure the safety and security of our users’ personal information and our systems. If you’re a good-faith security researcher who has identified a potential cybersecurity issue or vulnerability in any of our products, applications, systems, or platform, we’d like to hear about it through our Responsible Disclosure Program. We appreciate the security community’s help in keeping April secure.

Responsible Disclosure Program

Program Terms and Conditions

Your participation in our responsible disclosure program is voluntary and subject to the following terms and conditions:

  • If you’re able to gain access to an account, system, user, or data, stop at the point of identification and report. Do not dive deeper to assess how much more is accessible.
  • Show that you could exploit a vulnerability, but do not actually exploit the vulnerability or harm April or any of our users, partners, shareholders, or employees.
  • Do not engage in disruptive testing like DoS or any action that could impact our users or the confidentiality, availability, or integrity of our data, information, or systems.
  • Do not engage in social engineering or phishing of users or employees.
  • Do not access, modify, copy, download, delete, compromise, or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
  • Adhere to the laws of your location and April’s location. You’re prohibited from participating in the program if you’re a resident of any U.S.-embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you’re on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you’re not located in any such country or on any such list, and that you are 18 years of age or older.
  • Do not use the existence of a potential vulnerability to make threats, extortion demands, or ransom requests.
  • By submitting a report to April, you agree that you may not publicly disclose your findings or the contents of your report to any third parties without April’s prior written approval.
  • Engage in vulnerability testing only within the scope of our responsible disclosure program.

How to Report a Vulnerability

To submit a vulnerability report to April’s Security Team, please email your report to security@getapril.com.

Please consider the following criteria in putting together your report in order to ensure resolution:

  • Submit your report in English and include proof-of-concept code or sufficient details that will allow for reproduction of the potential vulnerability.
  • Include how you found the vulnerability, the impact, and any potential remediation.
  • Do not submit a report that includes only crash dumps or other automated tool output.

We will endeavor to provide a response to your report within two business days and expect to maintain an open dialogue.