Product security vulnerability disclosure policy

This policy aims to provide information on how we handle reported security vulnerabilities found on our products and services, including responsibility, communication, report contents, scope, timeline, and security advisory.

We commit to:

• Disclose known vulnerabilities and their fixes to our customers in a manner that protects our company and customers. Disclosures made by us will include credit to the person who first identified the vulnerability unless otherwise requested by the one who reported it.
• Be open to communicating and working with security researchers or reporters who come to us with a shared interest in improving security and coordinating the distribution of information that includes both the vulnerability and the solution that addresses it.
• Publicly acknowledge in a written advisory the work of a security researcher or reporter who brings our company valid information about a vulnerability privately and then works with us to coordinate the public announcement after the availability of a fix.
• Allow security researchers or reporters to post our advisory link on their websites as recognition for identifying the vulnerability and working with us to fix it.

Security researchers or reporters shall not:

• Exploit a discovered vulnerability other than for testing purposes and should conduct such testing with their account or a test account. 
• Perform denial of service or social engineering attacks, compromise our system, persistently maintain access to it, install malware or viruses, steal passwords, or use brute force to gain access to our systems.
• Share the vulnerability with third parties or distribute it without our expressed consent.
• Deliberately attempt to intercept, record, or become aware of communications that are not accessible to the public.
• Violate privacy laws or regulations, unauthorized access or destruction of data, and interruption or degradation of our products and services.