At Pitch we truly appreciate when ethical hackers, security researchers, or any well-intentioned person report a security vulnerability to us. We take security seriously and we will respond diligently to any email sent to firstname.lastname@example.org
The goal of this document is to define how to engage with Pitch Security Team. Please read it in full if you believe to have found a security vulnerability in our application or infrastructure.
Please, only report issues related to the following:
The following type of issues are not currently in scope, so please do not report them:
In response to your initial email to email@example.com, you will receive an acknowledgement reply email from the security team (usually within 24 hours of your report being received).
Following the initial contact, our security team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope, or is a duplicate report.
From this point, necessary remediation work will be assigned to the appropriate teams. Priority for bug fixes and/or mitigation will be assigned based on the severity of impact and complexity of exploitation.
Vulnerability reports may take some time to triage and/or remediate. You’re welcome to inquire on the status of the process but please limit this to no more than once every 14 days to help our security team focus on the reports as much as possible.
Our security team will notify you when the reported vulnerability is resolved (or remediation work is scheduled) and will ask you to confirm that the solution covers the vulnerability adequately. We will offer you the opportunity to provide feedback to us on the process and relationship as well as the vulnerability resolution. This information will be used in strict confidence in order to help us improve the way in which we handle reports and/or develop services and resolve vulnerabilities.
In accordance with industry standards, we ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately while also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes (e.g. sub-domain takeovers).
Security researchers must not:
We request that any and all data retrieved during research is securely deleted as soon as it is no longer required and at most, one month after the vulnerability is resolved, whichever occurs soonest.
If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance at firstname.lastname@example.org. Please do not include any sensitive information in the initial communications.
We do not currently run a bug bounty at Pitch. For vulnerabilities of relevant interest and impact in our application and infrastructure we will review them at per-case basics regarding any type of reward.
This policy is designed to be compatible with common good practices among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause the Pitch to be in breach of any of its legal obligations, including but not limited to:
Pitch will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security vulnerability on an in-scope Pitch service.
If you wish to provide feedback or suggestions on this policy, please contact our security team at email@example.com. This policy will evolve over time and your input will be valued to ensure that it is clear, complete, and remains relevant.
Absolutely! While the Pitch application is written mostly with Clojure, we use lots of more widely-known libraries and languages (e.g. React.js) as well. Every engineer who joins without prior knowledge of Clojure can expect extensive mentorship, time, and resources to learn Clojure and our codebase before diving into the deep-end.
Yes, of course. Pitch wants to hire the best and brightest regardless of where they're based geographically. On occasion, teams have a preference for candidates whose working hours overlap with the rest of their team, but there is always flexibility.
No. While we do have an office in Berlin, physical presence there is 100% optional.
Absolutely, feel free to submit a speculative application.
We do our best to get back to all applicants within one week of their applications. That being said, the application review process has lots of moving parts and depends on the availability of our hiring teams, holidays, and other unpredictable factors. We do our best, but appreciate your patience if it takes >1 week to respond to you.
Given the high volume of applications we receive, it's not possible for us to give tailored feedback to candidates who aren't selected for first-stage interviews. If you do progress beyond the first-stage interview, however, we try to give specific, tailored feedback should there not be a fit.
The typical Pitch interview processes consists of the following steps, all of which are conducted remotely.
We process and store all data in accordance with GDPR standards. You can request to have your data deleted at any time after applying and we will action this request within 1-2 days.
The average recruitment process lasts between 4-5 weeks to get through all the stages, although there's some variability depending on availability on both the hiring team and candidate side.
The short answer is 'no'. We practice asynchronous communication.
Yes, one might miss having the office as an anchor, or the occasional water-cooler chat with colleagues. But 100% remote work doesn't have to be disengaged and disconnected! At Pitch, we put a lot of emphasis on connecting (not just about work!) through virtual coffee chats, catch-ups via Zoom (as and when needed)... and Slack shenanigans. Additionally, we are big fans of team offsites, yearly company get togethers, and Weekly Bulletins (our async alternative to All-Hands). We believe remote working empowers you to work autonomously and flexibly on something you believe in, and your colleagues are only a Slack away for a second opinion, cheering up, and various meme shenanigans.