Responsible Vulnerability Disclosure Policy
At Pitchstone Technology, we prioritize the security of our systems, applications, and users. Despite our best efforts to create secure products, vulnerabilities may still exist. To maintain trust and safeguard the information of our users, we encourage security researchers to responsibly disclose any vulnerabilities they identify.
This Responsible Vulnerability Disclosure Policy outlines how security researchers can report vulnerabilities, our commitment to addressing them, and our promise to protect researchers acting in good faith.
Scope
We encourage security researchers to report any vulnerabilities that could impact the confidentiality, integrity, or availability of our systems, applications, and services.
In-Scope
The following assets are within the scope of this policy:
- All Pitchstone web applications and APIs
- Backend services that interact with our applications or APIs.
Out-of-Scope
The following are considered out of scope:
- Vulnerabilities in third-party applications, platforms, or services not managed by Pitchstone Technology.
- Social engineering attacks, including phishing and vishing.
- Physical security testing (e.g., office or data center access).
- Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) testing.
- Reports related to outdated browsers or plugins that are no longer supported.
Rules of Engagement
To ensure a responsible disclosure process and minimize risk to our users, researchers must:
- Act in good faith to avoid compromising user data, degrading system performance, or impacting availability.
- Avoid unauthorized access to user accounts or data beyond what is necessary to demonstrate the vulnerability.
- Refrain from publicly disclosing vulnerabilities until Pitchstone Technology has had the opportunity to investigate and resolve the issue.
- Limit testing to accounts or resources you own or have explicit permission to use.
Failure to comply with these rules may disqualify your submission from acknowledgment or safe harbor protections.
How to Report a Vulnerability
We welcome vulnerability reports through the following channels:
Please include the following information in your report:
- A detailed description of the vulnerability.
- Steps to reproduce the issue, including screenshots or video recordings, if applicable.
- The potential impact of the vulnerability.
- Any suggestions for remediation, if applicable.
We also encourage researchers to follow Coordinated Vulnerability Disclosure (CVD) practices where possible.
Response and Remediation Process
Our process for handling reports is as follows:
- Acknowledgment: We will acknowledge receipt of your report within 3 business days.
- Investigation: Our security team will investigate the vulnerability and determine its validity and severity.
- Remediation: Valid vulnerabilities will be addressed promptly, and we will keep you updated throughout the process.
- Disclosure: Once the issue is resolved, we may work with you to disclose the vulnerability publicly, if appropriate.
Recognition
We are grateful to researchers who help us improve the security of our systems. Depending on the nature and impact of the vulnerability, we may provide:
- Public acknowledgment (if desired).
- Swag, thank-you notes, or other non-monetary tokens of appreciation.
Safe Harbor
Pitchstone Technology is committed to protecting researchers who follow this policy and act in good faith. We will:
- Consider your activities authorized under this policy and not take legal action against you for testing within the scope and rules of engagement.
- Work with you to resolve any legal or regulatory issues that may arise as a result of your research under this policy.
However, this safe harbor does not apply to actions that are out of scope or violate the rules of engagement.
Questions or Feedback
If you have any questions about this policy or would like clarification, please contact us at
security@pitchstonetechnology.com Thank you for helping us maintain the security and integrity of Pitchstone Technology’s products and services. Together, we can build a safer and more secure digital ecosystem.
