As a security researcher, I am committed to responsibly reporting security vulnerabilities to vendors and other parties. By allowing organizations to quickly identify and fix security issues, we can help protect the privacy and security of users and enhance the reputation of the organizations as ones that prioritize security.
Responsible Disclosure Policy
Purpose: The purpose of this policy is to outline the terms and conditions for reporting security vulnerabilities that I discover as a security researcher.
Scope: This policy applies to any security vulnerabilities that I discover in any software, website, or system owned and operated by anyone.
Reporting Vulnerabilities: I will make a good faith effort to report any security vulnerabilities that I discover to the vendor or other party responsible for the affected software, website, or system.
Disclosure Timelime: I will allow the vendor or other party 45 days to address the vulnerability before disclosing it publicly, as long as I receive a response within the first 10 business days. If I do not receive a response within the first 10 business days, the disclosure timeline will be reduced to 30 days.
Responsible Disclosure: I will not engage in any activity that may cause harm to the affected systems or users, such as hacking, attacking, or exploiting the vulnerability. I will also not share any information about the vulnerability with third parties until it has been fixed.
Acknowledgment: If the vendor or other party follows best practices for addressing the vulnerability, I may acknowledge their efforts in my public disclosure.
This policy applies to all security vulnerabilities that I discover as a security researcher. By following this policy, I aim to promote responsible and secure reporting of vulnerabilities for the benefit of all parties involved.