Forest

Responsible Disclosure Policy

Effective Date: June 2nd, 2025

At Forest, protecting the privacy and safety of our riders, partners, and platform is a top priority. We are committed to maintaining a secure environment and welcome the support of the community in identifying potential vulnerabilities in a responsible and ethical manner.

If you discover a security issue within Forest’s systems or services, we encourage you to report it to us promptly and respectfully — so we can work together to keep our users safe.

Scope

This policy applies to:

  • All Forest mobile apps and subdomains
  • Forest APIs, rider dashboards, and partner platforms

What’s Not in Scope

The following are considered out of scope for this policy:

  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering or phishing of Forest employees or riders
  • Physical security or in-person attacks
  • Automated vulnerability scans or brute-force attempts
  • Use of any vulnerability to compromise, download, or manipulate user data without permission

How to Report

You can submit your findings through our HackerOne embedded submission form below, or by emailing us.

Alternatively, please email [email protected] with:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue (screenshots, proof-of-concept, or logs are helpful)
  • The potential impact you believe this issue could cause
  • Your name (or alias) if you’d like recognition

Please do not publicly disclose the issue until we’ve had a chance to investigate and fix it.

Email: [email protected]

The Process

If you follow responsible disclosure best practices, we will:

  • Acknowledge your report within a reasonable time
  • Keep you informed as we assess and address the issue
  • Not take legal action against good-faith reports
  • Credit you on our public Security Contributors page (unless you prefer to remain anonymous)

In select cases, we may also offer a non-monetary thank-you or reward at our discretion.

Known Non-Issues (Excluded from Recognition)

  • Self-XSS in input fields you control
  • Use of outdated libraries without proven exploitability
  • Lack of best-practice headers (CSP, HSTS, etc.)
  • Open ports or non-sensitive error messages