Last Updated: 13 August 2020
These Responsible Vulnerability Disclosure Guidelines (“Guidelines”) describe the voluntary program through which Innovative Emergency Management, Inc. (“IEM”) will engage with parties who identify and report to IEM potential security vulnerabilities in a responsible manner. These Guidelines apply only to disclosure of potential vulnerabilities affecting systems owned or controlled by IEM, and not to those affecting any other systems, including those owned or controlled by any IEM clients, business partners, or others. IEM will validate and remediate verified vulnerabilities in accordance with our commitment to security. IEM reserves the right, in its sole discretion, to modify the terms of these Guidelines or to terminate any or all of them at any time.
Parties conducting security research and vulnerability disclosure activities must comply with all applicable federal, state, and local laws. For parties who conduct security research and vulnerability disclosure activities in accordance with these Guidelines, IEM will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and in the event of any law enforcement or civil action brought by anyone other than IEM, IEM will take reasonable steps to make known that the activities of the affected parties were conducted pursuant to and in compliance with these Guidelines. To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any non-IEM entity, such non-IEM entity may independently determine whether to pursue legal action or remedies related to such activities. IEM does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity. Any party who engages in an activity that is inconsistent with these Guidelines or any applicable law may be subject to criminal and/or civil liabilities.
Security research and vulnerability disclosure activities conducted under these Guidelines must be limited exclusively to testing to detect a potential vulnerability or to identify an indicator related to a potential vulnerability; sharing information with IEM related to a potential vulnerability; or receiving information from IEM related to a potential vulnerability. Parties who conduct security research and vulnerability disclosure activities in accordance with these Guidelines must do no harm, including without limitation exploiting any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists; intentionally accessing, modifying, or deleting the content of any communications, data, or information transiting or stored on IEM network(s) or system(s); compromising the privacy or safety of IEM employees, IEM clients, or any third parties; intentionally compromising the intellectual property or other commercial or financial interests of IEM, IEM employees, IEM clients, or any third parties; posting, transmitting, uploading, linking to, sending, executing, or storing any malicious software on any IEM network(s) or system(s); testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages; testing in a manner that would degrade or disrupt the operation of any IEM network(s) or system(s), including without limitation executing or attempting to execute a denial of service attack.
Reporting parties may submit a report via e-mail to firstname.lastname@example.org. The report must include product or service name, URL, or affected version information; operating system of involved components; version information; technical description of what actions were being performed and the result in as much detail as possible; sample code that was used to test or demonstrate the vulnerability; reporter’s contact information; other parties involved; threat/risk assessment details of the identified threats and/or risks including a risk level (high, medium, low) for assessment result; software configuration of the computer or device configuration at time of discovering the vulnerability; relevant information about connected components and devices if vulnerability arises during interaction (when a secondary component or device triggers the vulnerability, these details should be provided); time and date of discovery; and browser information including type and version information. Enough detail must be provided to allow IEM to reproduce the vulnerability. By submitting information to IEM through this process, the reporting party agrees that submission of the information does not create any rights for the reporting party, that such information will be considered to be non-confidential and non-proprietary to the reporting party, and that IEM will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating the reporting party or in any other way obligating IEM.
Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from IEM will deem the submission as noncompliant with these Guidelines. IEM does not provide compensation in exchange for information pertaining to security vulnerabilities. IEM may choose not to pursue, contact, or otherwise interact with parties who decline to identify themselves when making the report. IEM will deal in good faith with reporting parties who comply with these Guidelines. IEM may choose to disregard submissions by parties who submit a high volume of low-quality reports.