IEM is the world’s largest woman-led disaster and crisis management firm.

Responsible Vulnerability Disclosure Guidelines

Website Policies

Last Modified: 23 November 2020

Innovative Emergency Management, Inc. and its subsidiaries and affiliates (collectively, “IEM,” “we,” “us,” or “our”) is committed to ensuring the security of information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and for reporting potential security vulnerabilities to us in a responsible manner.

Authorization

Parties conducting security research and vulnerability disclosure activities must comply with all applicable federal, state, and local laws. For parties who conduct security research and vulnerability disclosure activities in accordance with this Vulnerability Disclosure Policy, we will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and in the event of any law enforcement or civil action brought by anyone other than us, we will take reasonable steps to make known that the activities of the affected parties were conducted pursuant to and in compliance with this Vulnerability Disclosure Policy. To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any non-IEM entity, such non-IEM entity may independently determine whether to pursue legal action or remedies related to such activities. We do not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity. Any party who engages in an activity that is inconsistent with this Vulnerability Disclosure Policy or any applicable law may be subject to criminal and/or civil liabilities.

Guidelines

This Vulnerability Disclosure Policy applies to the following systems and services:

  • Websites operated by us.
  • Software applications made available by us for use on or through computers and mobile devices.
  • Our social media pages and applications.

Any system or service not expressly listed above, such as any connected systems or services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems owned or controlled by third parties fall outside of this scope of this Vulnerability Disclosure Policy and should be reported directly to the third party according to their vulnerability disclosure policy (if any).

Though we develop and maintain other Internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this Vulnerability Disclosure Policy.

Security research and vulnerability disclosure activities conducted under this Vulnerability Disclosure Policy must be limited exclusively to:

  • Testing to detect a potential vulnerability or to identify an indicator related to a potential vulnerability.
  • Sharing information with us related to a potential vulnerability.
  • Receiving information from us related to a potential vulnerability.

Parties who conduct security research and vulnerability disclosure activities in accordance with this Vulnerability Disclosure Policy must do no harm, including without limitation:

  • Exploiting any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems or services.
  • Intentionally accessing, modifying, or deleting the content of any communications, data, or information transiting or stored on our systems or services.
  • Compromising the privacy or safety of our employees, our clients, or any third parties.
  • Intentionally compromising the intellectual property or other interests of IEM, our employees, our clients, or any third parties.
  • Posting, transmitting, uploading, linking to, sending, executing, or storing any malicious software.
  • Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages.
  • Testing in a manner that would degrade, disrupt, or damage the operation of any systems or services, including without limitation executing or attempting to execute a denial of service attack.
  • Performing physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.

Reporting

Reporting parties may submit a report via e-mail to responsibledisclosure@iem.com. The report must include:

  • Product or service name, Uniform Resource Locator, or affected version information.
  • Operating system of involved components.
  • Version information.
  • Detailed technical description of what actions were being performed and the results.
  • Sample code that was used to assess or demonstrate the vulnerability.
  • Reporter’s contact information.
  • Other parties involved.
  • Threat/risk assessment details of the identified threats and/or risks including a risk level (high, medium, low) for assessment result.
  • Software configuration of the computer or device configuration at time of discovering the vulnerability.
  • Relevant information about connected components and devices if vulnerability arises during interaction (when a secondary component or device triggers the vulnerability, these details should be provided).
  • Time and date of discovery.
  • Browser information including type and version information.

Enough detail must be provided to allow us to reproduce the vulnerability. Following establishment that a vulnerability exists or any encounter with sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party):

  • Stop all testing.
  • Notify us immediately as described below.
  • Do not disclose the vulnerability or data to any other party.

Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from us will deem the submission as noncompliant. We may choose not to pursue, contact, or otherwise interact with parties who decline to identify themselves when making the report. We will deal in good faith with reporting parties who comply with this Vulnerability Disclosure Policy. We may choose to disregard submissions by parties who submit a high volume of low-quality reports.

By submitting information to us through this process, the reporting party agrees that submission of the information does not create any rights for the reporting party, that such information will be considered to be non-confidential and non-proprietary to the reporting party, and that we will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating the reporting party or in any other way obligating us. By submitting a vulnerability, the reporting party acknowledges that they have no expectation of payment and that they expressly waive any future pay claims against IEM related to their submission. We reserve the right to modify the terms of this Vulnerability Disclosure Policy in our sole discretion and at any time.

© 2021 IEM. All Rights Reserved.