Vulnerability Disclosure Program

VulnExchange, Inc. DBA StackAware ("StackAware") welcomes contributions from responsible security researchers ("you" hereafter) as part of its vulnerability disclosure program ("VDP"). Thus, in response to your good-faith participation in the VDP, we will:-> Not initiate legal action against you.
-> If a third party initiates legal action against you as a result of your participation in the VDP, inform such a third party of your good-faith compliance with it.

To be eligible, you must:

-> Submit reports about potential vulnerabilities via email to security@stackaware.com with "VDP" in the subject line.
-> Describe the vulnerability, where it was discovered, and the impact to data confidentiality, integrity, or availability. This includes artificial intelligence (AI) systems where the outputs are offensive, unethical, illegal, or have otherwise adverse impacts.
-> Give a detailed description of the steps needed to reproduce the vulnerability, including either a step-by-step written narrative, a video recording, or both.
-> Agree to keep confidential any information (with the exception of Authorized Public Communications, described below) obtained while participating in the VDP.

To be eligible, you must NOT:

-> Demand compensation or insinuate that it is owed.
-> Provide (or threaten to provide) any information obtained while participating in the VDP to any third party not under any contractual or otherwise legally binding duty of confidentiality to you or your organization. The only exception to this is the Authorized Public Communications.
-> Modify or destroy any data encountered.
-> Perform social engineering, physical penetration testing, or denial of service attacks on StackAware personnel, locations, or assets.
-> Submit vulnerability reports from automated scanning tools without evidence of exploitability.

If you comply with these requirements, StackAware will:

-> Work with you in good faith.
-> Acknowledge receipt of your report within 72 hours.
-> Advise whether StackAware has accepted the report, and, if so, when the vulnerability is resolved.
-> If desired, recognize you via the StackAware web site ("Authorized Public Communications), including the following information (if applicable):1. Your name or handle
2. Your organization
3. General description of the vulnerability
4. Common vulnerabilities and exposures (CVE) identifier-> After the Authorized Public Communications, authorize and provide a revocable, royalty-free license for you to post exploit code for the specific vulnerability remediated in a public forum of your choice, provided that posting such code does not violate any third-party rights.

Intellectual property and other requirements

StackAware authorizes any party to reuse or adapt the text of this VDP, provided such party cites StackAware as the source and provides a hyperlink to https://vdp.stackaware.com. Aside from naming StackAware as the source of the original VDP text, however, such a party may not imply StackAware endorsement or use the StackAware logo.Participating in the VDP does not grant you, or any other third party, any additional rights to StackAware intellectual property, products, or services. All rights not otherwise granted within this policy are expressly reserved by StackAware. By submitting a vulnerability for consideration, you hereby assign to StackAware all rights, title, and interest, including all intellectual property rights, for all vulnerability reports submitted. You further represent that you have the right to assign all such rights, titles, and interests to StackAware for the submissions, and that your participation in the StackAware VDP does not violate any agreement you may have with any other third party, such as your employer.

Contributors