Updated: October 2015
Here at Constant Contact, we welcome the reporting of security vulnerabilities in our product and services and encourage researchers to reach out to us when they find issues. We operate under the concept of responsible disclosure and require any researcher to follow the following process:
Please submit your report at email@example.com or through our twitter account at @CTCTsecurity.
Be sure to include a secure contact method for us to contact you, and we'll get back to you as soon as possible, usually within three-business days, acknowledging the receipt of your submission.
To encrypt your email communications to us, please use our PGP public key.
NOTE: We will not accept vulnerability submissions at the firstname.lastname@example.org email address.
Once we've received your message, we will assign a security analyst to your submission and we will investigate the issue to determine how broad the impact might be. This analyst will reach out to you and will serve as your primary contact for the submission. Please note, it is our policy to not publicly comment on the validity of submissions until a fix is released. Once the fix is released, we will update the acknowledgements list on this page.
Security is a constantly evolving field and we enjoy collaborating with the best and brightest in the security community. We always appreciate your taking the time to help us find and fix security flaws so they don't pose a serious risk to our customers.
Thanks to everyone who has let us know about vulnerabilities in the past.