Vulnerability Disclosure Policy
VulnExchange, Inc. DBA StackAware ("StackAware") welcomes contributions from responsible security researchers ("you" hereafter). Thus, for any good-faith activities consistent with this policy, we will:
-- Not initiate legal action against you.
-- If a third party initiates legal action against you in connection with activities covered under this policy, inform such a third party of your good-faith compliance with it.To be eligible, you must:
-- Submit reports via StackAware SafeBase status page.
-- Describe the vulnerability, where it was discovered, and the impact to data confidentiality, integrity, or availability.
-- Offer a detailed description of the steps needed to reproduce the vulnerability, including either a step-by-step written narrative, a video recording, or both.
-- Agree to keep confidential any information obtained while identifying any vulnerability, with the exception of that described in the Authorized Public Communications section below.To be eligible, you must NOT:
-- Demand compensation or insinuate that it is owed.
-- Threaten to or actually publish information regarding the vulnerability, or provide it to any third party not under any contractually or legally binding duty of confidentiality to you or your organization, prior to the authorized public communications.
-- Perform social engineering, physical penetration testing, or denial of service attacks on StackAware personnel, locations, or assets.
-- Modify or destroy any data encountered.
-- Submit vulnerability reports from automated scanning tools without evidence of exploitability.If you comply with these requirements, StackAware will:
-- Work with you in good faith.
-- Acknowledge receipt within 72 hours.
-- Advise whether StackAware has accepted the report, and, if so, when the vulnerability is resolved.
-- If desired, recognize you via the StackAware web site ("Authorized Public Communications), including the following information (if applicable):
1. Your name or handle
2. Your organization
3. General description of the vulnerability
4. Common vulnerabilities and exposures (CVE) identifier
-- After the Authorized Public Communications, authorize and provide a revocable, royalty-free license for you to post exploit code for the specific vulnerability remediated in a public forum of your choice.Participating in the StackAware CVD program does not grant you, or any other third party, any rights to StackAware intellectual property, product, or service. All rights not otherwise granted within this policy are expressly reserved by StackAware. By submitting a vulnerability for consideration, you hereby assign to StackAware all rights, title, and interest, including all intellectual property rights, for all vulnerability reports submitted. You further represent that you have the right to assign all such rights, titles, and interests to StackAware for the submissions, and that your participation in the StackAware CVD program does not violate any agreement you may have with any other third party, such as your employer.
© StackAware. All rights reserved.