1. Purpose
The purpose of Portal’s Vulnerability Disclosure Programme is to encourage responsible reporting of security vulnerabilities in Portal’s SmartLocks, Building OS, mobile applications, websites, APIs, and services. Reports can be sent to security@tryportal.com with details of the vulnerability and a proof of concept. We value the contributions of security researchers and ethical hackers in enhancing the safety of our global properties and are committed to collaborating with them to verify and resolve potential vulnerabilities.
The programme has clear guidelines, prohibiting malicious or unauthorised actions and ensuring compliance with privacy and laws. Only verifiable vulnerabilities meeting Portal’s criteria will qualify for recognition or rewards, with the first reporter credited for their contribution to our security.
If you are a Portal customer or tenant and suspect unauthorised activity or fraud, please contact support immediately at https://tryportal.com/support. For security vulnerabilities, follow this policy, acting in good faith and adhering to legal regulations. Portal offers safe harbour for researchers who comply and act responsibly.
2. Testing Environments
Our test environment is designed to protect the privacy and safety of our users without disrupting Portal’s services. Unauthorised testing or policy violations may lead to legal or administrative action. Only approved testing with prior written consent from Portal is permitted.
3. Reporting a Security Vulnerability
Sharing vulnerability details outside our formal reporting process (security@tryportal.com) is prohibited and will not be accepted by Portal.
4. Policy
Portal will investigate all legitimate reports and strive to resolve vulnerabilities promptly. We request that you:
- Provide detailed reproduction steps and validation information to help our Security Team address the issue efficiently.
- Allow Portal reasonable time to fix the vulnerability before public disclosure, protecting our users and systems from harm.
- Act in good faith, avoiding damage to Portal’s infrastructure, data, or users during testing.
5. Programme Rules
Portal encourages ethical vulnerability discovery and reporting. The following are prohibited:
- Unauthorised data access.
- Illegal activities (e.g., hacking, phishing, brute force, social engineering).
- Data destruction.
- Service interruption or degradation.
- Privacy violations (e.g., accessing personal data without consent).
- Physical attacks on facilities.
- Denial of Service (DoS) attacks.
- Spamming or malicious activities.
- Actions risking user or employee safety.
- Exploits to move between systems.
- Interference with normal operations.
6. In Scope Targets
- Portal’s public-facing websites and mobile applications.
- APIs and back-end services supporting Portal’s SmartLocks and Building OS.
- Infrastructure and networks for Portal’s services.
Note: The in-scope targets list may change, and Portal reserves the right to update it.
Recognition + Reward
Portal may offer up to £1,000 at its discretion for critical vulnerabilities, based on severity and impact. Rewards are discretionary, and Portal reserves the right to adjust the programme or reward amounts.
