Vulnerability Disclosure Program (VDP)

Vulnerability Disclosure Program (VDP) 

Goals:

  • Encourage responsible disclosure of vulnerabilities through a structured program
  • Researchers can submit vulnerability reports through our disclosure portal
  • All reports are assessed, and remediation steps are taken within specified timelines
  • Collaborate with ethical researchers to enhance system security and acknowledge their contributions

Authorization:

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Crow Canyon Systems will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Test methods:

The following test methods are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
  • Full red-team penetration testing that involves unauthorized access to our servers

Scope:

  • Includes all web-based applications, APIs, and proprietary software.
  • Excludes third-party software and systems not directly managed by Crow Canyon Systems.

Guidelines:

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Process:

  1. You may submit vulnerability reports through our disclosure portal.
    1. In order to help us triage and prioritize submissions, we recommend that your reports:
      1. Describe the location the vulnerability was discovered and the potential impact of exploitation.
      2. Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
      3. Be in English, if possible.
  1. If contact information is provided, we will acknowledge receipt within 3 business days.
  2. If contact information is provided, we will be transparent to the extent possible throughout the remediation process.

CCS does not provide payment to reporters for submitting vulnerabilities.

  1. Reporters submitting vulnerabilities to CCS, in so doing, waive any claims to compensation.