Responsible Disclosure Policy
Last updated June 3rd, 2021
At Reclaim.ai, we treat your privacy and data security as job zero. However, regardless of time and investment into information security efforts, we also acknowledge that vulnerabilities can be discovered and present. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our systems, our customers and their data.
This policy is designed to create a clear communication path around reporting and disclosing exploitable vulnerabilities in our systems.
We kindly request that all security researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction of data during any security testing;
- Perform security research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us;
- Do not take in any way advantage of the vulnerability or problem discovered;
- Do not download, copy, transfer or publish any data and/or information that is exposed or accessible without contacting us first;
- Do not use the vulnerability or data to gain access to the systems of Reclaim.ai;
- Keep information about any vulnerabilities discovered confidential between yourself and Reclaim.ai until (i) we have had 60 days to respond and resolve the issue, or until (ii) we have provided notification that the issue has been resolved, whichever occurs first.
If the above guidelines are followed when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your security research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 5 business days of submission), if the issue poses an actually exploitable vulnerability;
- Recognize, with your consent, your contribution on our Security Researcher List, if you are the first to report the issue and we make a code or configuration change based on resolution of the issue.
Services under (or a sub-domain of) the domains:
Out of Scope
Any services hosted by 3rd party providers and services are excluded from scope. These services include:
- Amazon Web Services (to the extent the issue is not at a Reclaim.ai application / service level)
- Google Cloud Platform / G-Suite
In the interest of the safety of our customers, employees, the Internet at large and you as as security researcher, the following types of tests and research are excluded from scope:
- Findings from physical testing (i.e., at offices, following employees, etc.)
- Findings derived primarily from social engineering (i.e., phishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs (i.e., copy errors, spelling mistakes)
- Network level Denial of Service (DoS/DDoS) attacks
Things we do NOT want to receive:
- Any Personally Identifiable Information (PII), of other customers or employees;
- Any customer’s privileged and/or client confidential information (i.e., preferences, calendar data, tokens)
How to Report a Security Vulnerability
If you believe you have found a security vulnerability in one of Reclaim.ai’s products or platform, please notify us by emailing firstname.lastname@example.org
. Please include the following details with your report:
- Description and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots and videos are all helpful); and
- Your name/handle and a link for recognition, or inform us that you do not want to be mentioned.