Introduction
At Reelist, we take security seriously and are committed to protecting our systems, data, and users. We follow industry best practices, including SOC 2 Type II, GDPR, CCPA, and VCDPA (Virginia Consumer Data Protection Act) compliance.
We appreciate ethical security researchers who responsibly disclose vulnerabilities. If you comply with this policy, we will not take legal action against you for good-faith security research. However, violations of this policy may result in legal action, revocation of safe harbor protections, or referral to law enforcement.
Safe Harbor
We will not take legal action against researchers who:
- act in good faith and follow the guidelines outlined in this policy
- report issues responsibly and privately before public disclosure
- avoid harm, such as not disrupting services, accessing private data, or attempting extortion
- comply with applicable laws, including GDPR, CFAA, DMCA, CCPA, and VCDPA
Safe harbor does not apply if you:
- exfiltrate, modify, or store user data, even for research purposes
- degrade service availability through actions like DDoS, excessive API calls, or brute-force attacks
- access or modify accounts, applications, or systems without explicit authorization
- engage in social engineering, phishing, or credential harvesting
- use automated scanning tools that overload or disrupt the system
- demand payment, employment, or other compensation in exchange for non-disclosure
If a third party, such as law enforcement, initiates legal action, we will clarify that your actions were conducted under this policy only if your research fully complied with these guidelines.
Scope
Systems Covered by This Policy
This policy applies to:
- Certain paths on www.reelist.com
- Directly controlled subdomains
- Public-facing applications and services owned by Reelist
- APIs and integrations explicitly listed in Reelist’s documentation
Out of Scope
The following are not covered by this policy:
- Routes on www.reelist.com hosted on our CMS provider, such as marketing pages, landing pages, and our home page
- The Help Center at help.reelist.com
- The Status Page at status.reelist.com
- The Trust Center at trust.reelist.com
- Third-party services, integrations, or vendors outside Reelist’s direct control
If you are unsure whether a system is in scope, contact us before testing via our Help Center.
Rules for Responsible Research
To qualify for safe harbor protection, researchers must:
- never disrupt services, including through DoS attacks, spamming, or automated flooding
- never access, store, or modify user data
- never attempt to hack real user accounts, and use test accounts only
- report issues confidentially via our Help Center
- never demand payment or compensation for disclosures
- never conduct social engineering, phishing, or employee impersonation
Failure to follow these rules voids safe harbor protections and may lead to legal consequences.
How to Report a Security Issue
If you discover a vulnerability, report it immediately by opening a ticket in our Help Center with:
- A vulnerability description providing a clear explanation of the issue
- Reproduction steps detailing a step-by-step guide to replicate the vulnerability
- Potential impact outlining the severity and possible exploitation risks
- A proof of concept, if applicable, including screenshots, logs, or code snippets demonstrating the issue
We acknowledge valid reports within five business days and will update you on the resolution timeline.
Legal Compliance and Data Protection
Key Compliance Areas
GDPR (General Data Protection Regulation)
- Do not access, process, or store user data
- Unauthorized access to personal data may be considered a breach under GDPR
CFAA (Computer Fraud and Abuse Act - U.S.)
- Do not exceed authorized access to systems
- Any unauthorized modification or access may violate CFAA
DMCA (Digital Millennium Copyright Act - U.S.)
- Do not bypass or disable security controls
- Avoid reverse-engineering software without permission
CCPA and VCDPA (Virginia Consumer Data Protection Act)
- Do not extract, store, or misuse user data
What Is Out of Scope
We will not consider reports for:
- Missing security headers such as X-Frame-Options unless exploitable
- Self-XSS vulnerabilities that require user interaction
- DoS or DDoS testing, including accidental overload
- Phishing, social engineering, or employee-targeted attacks
- Brute-force login attempts, credential stuffing, or automated scanning
- Issues in third-party services, vendors, or Webflow-hosted content
Final disclaimer and legal notice
This policy does not create any legal obligations or contractual rights between Reelist and security researchers. By submitting a report, you acknowledge that:
- you are not an employee, agent, or contractor of Reelist
- you do not acquire any rights, ownership, or license to Reelist’s intellectual property
- Reelist retains sole discretion to determine whether a report qualifies under this policy
If you have questions, need clarification, or wish to report a vulnerability, please submit a ticket via our Help Center.
Changes to This Policy
Reelist reserves the right, in its sole discretion, to change any policy under which our Site or related services are offered, including but not limited to the Privacy Policy and Terms of Service. The most current version of these policies supersedes all previous versions. When required by law, we will notify you of significant changes by:
- Sending a notice to the email address on file in your account, and/or
- Placing a prominent notice on our Site.
Your continued use of the Site and Services after these modifications constitutes acknowledgment of and agreement to the updated policies. We encourage you to periodically review these policies to stay informed.
Disclaimer: This statement outlines our goals and ongoing efforts. Despite our best efforts, some content may not yet fully reflect the most up-to-date accessibility standards. If you discover any issues, please let us know by submitting a ticket in our Help Center so we can address them as promptly as possible.
Have Questions or Need Help?
Please submit a support ticket in our Help Center if you have specific questions or feedback about our site’s accessibility.