ÃÛ¶¹ÊÓÆµ Vulnerability Disclosure Program

No technology is perfect and ÃÛ¶¹ÊÓÆµ believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. ÃÛ¶¹ÊÓÆµ is now working with Bugcrowd on a vulnerability disclosure engagement program, which you can access by signing up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see .

Ratings

For the initial prioritization/rating of findings, this engagement will use the . However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority.

ÃÛ¶¹ÊÓÆµ Vulnerability Disclosure Policy

At ÃÛ¶¹ÊÓÆµ, protecting the information of our customers, partners, vendors, employees, and organization is a top priority. We value the important role that customers, security researchers, and security experts play in helping us safeguard our systems. We encourage responsible disclosure of vulnerabilities in accordance with this policy and appreciate the opportunity to promptly investigate and remediate findings.
This policy explains:

  • Which systems and types of research are covered.
  • How to report vulnerabilities to ÃÛ¶¹ÊÓÆµ.
  • How long we ask researchers to wait before public disclosure.

Rules of Engagement

By participating in our Vulnerability Disclosure Program, you agree to act in good faith and to:

  • Follow this policy and any other applicable agreements. If there is a conflict, this policy takes precedence.
  • Report vulnerabilities promptly.
  • Avoid violating privacy, disrupting systems, destroying data, or degrading the user experience.
  • Use only official reporting channels.
  • Allow a reasonable period (at least 90 days from the initial report) for remediation before public disclosure.
  • Test only in-scope systems and respect all out-of-scope systems.
  • Limit data access strictly to what is required to demonstrate a Proof of Concept. If you encounter sensitive data (e.g., PII, PHI, credit card data, or proprietary information), stop testing immediately and submit a report.
  • Use only test accounts you own or those for which you have explicit permission.
  • Refrain from any form of extortion.

Prohibited Activities

To protect our users and systems, you must not:

  • Access or attempt to access accounts or data that do not belong to you.
  • View, modify, delete, or destroy data.
  • Perform denial-of-service testing or introduce malware.
  • Use exploits beyond what is necessary to confirm a vulnerability. This includes attempting to exfiltrate data, gain persistence, establish command-line access, or pivot to other systems.
  • Continue testing once a vulnerability is confirmed or sensitive data is encountered.

Testing Requirements

  • Monitor your testing carefully to avoid impacting system performance or availability.
  • If you notice degradation of our assets, stop all testing immediately and suspend automated tools.
  • Keep vulnerability details confidential for at least 90 calendar days after Bugcrowd validation.

Scope

This policy applies to:

  • Domains owned by ÃÛ¶¹ÊÓÆµ and its brands/subsidiaries
  • All hardware products and associated software engineered, developed, and manufactured by ÃÛ¶¹ÊÓÆµ, any brand, or any subsidiary
  • All applications published on Google Play or Apple App Store associated with ÃÛ¶¹ÊÓÆµ, its brands, or subsidiaries
  • Any associated infrastructure vulnerabilities
  • Other ÃÛ¶¹ÊÓÆµ-owned assets with demonstrated security impact

Out of Scope

If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to ÃÛ¶¹ÊÓÆµ, you can report it to this engagement. However, be aware that it is ineligible for rewards or points-based compensation.

  • Denial-of-service testing (DoS/DDoS).
  • Physical security testing (e.g., office access, tailgating).
  • Social engineering (e.g., phishing, vishing, spam).
  • Self-XSS.
  • Malware uploads.
  • Vulnerabilities in non-ÃÛ¶¹ÊÓÆµ vendor systems (report directly to the vendor).

If you are unsure whether a system or endpoint is in scope, contact us at ÃÛ¶¹ÊÓÆµ-vdp-pro@submit.bugcrowd.com before starting your research.

Reporting a Vulnerability

  • ÃÛ¶¹ÊÓÆµ accepts and reviews reports through Bugcrowd’s submission form (preferred). This ensures your report includes the details we need to validate and remediate quickly.
  • Alternatively, you may submit by email to ÃÛ¶¹ÊÓÆµ-vdp-pro@submit.bugcrowd.com.
  • We may share reports with US-CERT, affected vendors, or open-source projects, where appropriate. Please note that third-party systems are out of scope and should be reported directly to those vendors.

Coordinated Disclosure

  • ÃÛ¶¹ÊÓÆµ is committed to remediating validated vulnerabilities within 90 days or fewer of Bugcrowd validation.
  • Please do not share your report with others until remediation is complete.
  • If you wish to publish an advisory, we ask that you coordinate with us so sensitive details can be redacted, and we have time to review before public posting.

Eligibility

Participants must:

  • Not be residents of countries under U.S. sanctions (as listed by the U.S. Treasury Department).
  • Not be current or recent (within the past 6 months) employees or contractors of ÃÛ¶¹ÊÓÆµ or its subsidiaries.
  • Ensure research complies with U.S. law and the laws of your country of residence.

Our Commitment

We will:

  • Review and validate your report through Bugcrowd.
  • Treat validated findings as a top remediation priority.
  • Provide updates throughout the submission, validation, and remediation process.

Safe Harbor

When conducting vulnerability research in accordance with this policy, we consider your activity to be:

  • Authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws.
  • Exempt from the Digital Millennium Copyright Act (DMCA).
  • Exempt from restrictions in our Terms & Conditions that would otherwise interfere with security research.
  • Lawful, helpful to Internet security, and conducted in good faith.
  • If you have any doubts about whether your research is consistent with this policy, please create a ticket with Bugcrowd Support before proceeding.