Skip to content
Home Page / Responsible Disclosure Policy

Responsible Disclosure Policy

Introduction

OverDrive values the work done by security researchers ("You", "Your") to improve the security of OverDrive products and service offerings. OverDrive is dedicated to working with You to respond to legitimate reported security vulnerabilities. Please note that OverDrive does not offer compensation or public recognition for vulnerability information.

Authorization

To encourage responsible reporting of security vulnerabilities in OverDrive systems, we commit that we will not report Your actions to law enforcement if You comply with this Responsible Disclosure Policy in its entirety.

Responsible Disclosure Prohibitions - You shall NOT:

3.1 Use a company email address other than security@overdrive.com to make your report via email (any contact by another email will not be processed for content);

3.2 Access OverDrive user, customer, employee, or other confidential data;

3.3 Cause damage, destruction, erasure, change, exfiltration, inaccessibility, or further disclosure

of OverDrive data or degradation of any related systems, services, or the same related to any users,

customers, affiliated companies, or subsidiaries;

3.4 Use any discovered security vulnerability to establish command line access and/or persistence, or use the vulnerability to pivot to other systems;

3.5 Test physical facilities or resources;

3.6 Engage in social engineering;

3.7 Send unsolicited messages to OverDrive employees or users, including "phishing" messages;

3.8 Execute or attempt to execute "denial of service" or other "resource exhaustion" attacks;

3.9 Introduce malicious software;

3.10 Test third-party applications, websites, or services that integrate with or link to or from OverDrive systems;

3.11 Share information with a third party that would allow a third party to engage in any prohibited or illegal activities; or

3.12 Take any action that would require mandatory reporting by OverDrive.

Responsible Disclosure Report Process Requirements - You shall:

4.1 Stop Your test immediately upon, and in no event later than 24 hours of, Your discovery of a security vulnerability or encounter with any sensitive data; and

4.2 Email security@overdrive.com and include the following information:

  • 4.2.1 Your full legal name;
  • 4.2.2 Your telephone number;
  • 4.2.3 Your email address;
  • 4.2.4 Your company name (if applicable);
  • 4.2.5 Detailed description of any vulnerabilities, including information needed to validate the vulnerability and its potential impact;
  • 4.2.6 Verification that You have not retained any OverDrive data;
  • 4.2.7 Acknowledgement that You will not be compensated, and retain no ownership rights over any shared information; and
  • 4.2.8 Acknowledgement that You have read and agree to be bound by the terms of OverDrive's Responsible Disclosure Policy.

4.3 Maintain confidentiality of Your submitted report and related activities.

4.4 Cease email inquiries on the same issue without prompting or response. OverDrive receives illegitimate and automated emails purporting to serve as security reviews or reports. We appreciate You working with us to distinguish Your legitimate information sharing by using our responsible disclosures process.