Last updated on June 6, 2024

OVERVIEW

This Vulnerability Disclosure Program Policy is a ready-made template that is given to organizations when setting up their program policy for their Secuna Response (VDP) programs. Organizations may change the contents of this policy in their specific program policies to tailor it specifically to their organization’s needs and guidelines.

INTRODUCTION

[Company Name] welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

GUIDELINES

We require all hunters to:

• Act in good faith to avoid privacy violations, degradation of our services, disruption to systems, and destruction of data during security testing (including denial of service);
• Perform research only within the scope set out below;
• Provide detailed reports with reproducible results.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact
• Only interact with your own accounts or test accounts for security research purposes. Do not access or modify our data or our users' data, without the explicit permission of the owner; and
• Always adhere to this program’s disclosure policy and Secuna’s disclosure terms.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research;
• Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
• Recognize your contribution on our leaderboard, if you are the first to report the issue and we make a code or configuration change based on the issue.

EXPECTATIONS

When working with us according to this policy, you can expect us to: