Security
Cybersecurity and Privacy Vulnerability Disclosure Policy
Purpose
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Cybersecurity and Privacy, Inc. (“Cybersecurity and Privacy”) systems, and submitting discovered vulnerabilities to Cybersecurity and Privacy.
Overview
Cybersecurity and Privacy recognizes that external security researchers can help to increase the security of Cybersecurity and Privacy systems, and we welcome contributions from security researchers, as set forth in this policy. If you have information about a vulnerability in a Cybersecurity and Privacy system, we encourage you to let us know right away.
Information submitted to Cybersecurity and Privacy under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors.
Please review, understand, and agree to the following terms and conditions before conducting any testing of Cybersecurity and Privacy systems and before submitting a report. Thank you.
Scope
The Cybersecurity and Privacy website and applications located at www.cybersecurity-privacy.com (and its subdomains). Third-party applications or websites are only within the scope when: (1) you are able to research vulnerabilities: (a) through the ordinary functioning of such website or app as it interacts with Cybersecurity and Privacy’s website or app, or (b) pursuant to the terms of such third party’s vulnerability disclosure program, and (2) the vulnerability impacts Cybersecurity and Privacy users or systems.
How to Submit a Report
Please send your report to [email protected]. The report must include a detailed summary of the vulnerability, including: type of issue; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.
By sending the report you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Cybersecurity and Privacy systems, and consent to having the contents of the communication and follow-up communications stored on Cybersecurity and Privacy systems.
Guidelines
Cybersecurity and Privacy will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
- Your activities are limited exclusively to: (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or (2) Sharing with, or receiving from, Cybersecurity and Privacy information about a vulnerability or an indicator related to a vulnerability.
- You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- You do not interact with an individual account (which includes modifying or accessing data including personally identifiable information from the account) without the account owner’s explicit consent in writing, which you must produce upon request.
- You avoid intentionally accessing the content of any communications, data, or information transiting or stored on Cybersecurity and Privacy systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You do not exfiltrate any data under any circumstances.
- You do not intentionally compromise the privacy or safety of any person.
- You do not intentionally compromise the intellectual property or other commercial or financial interests of any person or entity.
- You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Cybersecurity and Privacy.
- You do not conduct denial of service testing.
- You do not conduct social engineering, including spear phishing, of Cybersecurity and Privacy users, employees or contractors.
- You do not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.
What You Can Expect from Us
We take every disclosure seriously and very much appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
Cybersecurity and Privacy remains committed to coordinating with the researcher as openly and quickly as possible. This includes:
- We investigate and respond to all valid reports. We prioritize evaluations based on risk and other factors, so timing of our reply may vary. We may request further information from the researcher.
- To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.
- We want researchers to be recognized publicly for their contributions, if that is the researcher’s desire. We will seek to allow researchers to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of Cybersecurity and Privacy.
- We do not currently have a bug bounty program, so researchers will not be entitled to payment for their identification of vulnerabilities. Notwithstanding the foregoing, we may in our sole discretion and upon agreement with the researcher, provide such compensation as we determine is appropriate for the researcher’s report
Information submitted to Cybersecurity and Privacy under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our licensors and vendors.
Legal
You must comply with all applicable Federal, state, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
Your use of Cybersecurity and Privacy services, including for purposes of this program, remains subject to our Terms of Service. To the extent activities authorized by this policy are inconsistent with the provisions in the Rules For Using The Services heading of the Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy.
Cybersecurity and Privacy does not authorize, permit, or otherwise allow (expressly or impliedly) any person or entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law.
If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) Cybersecurity and Privacy will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (“2”) in the event of any law enforcement or civil action brought by anyone other than Cybersecurity and Privacy, Cybersecurity and Privacy will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.
Cybersecurity and Privacy may modify the terms of this policy or terminate the policy at any time.