Last Modified: February 14, 2023
Innovative Emergency Management, Inc. and our affiliated entities (together, “IEM,” “we,” “us,” or “our”) are committed to ensuring the security of information. This policy provides security researchers with clear guidelines for conducting vulnerability discovery activities and responsibly reporting potential security vulnerabilities to us.
Parties conducting security research and vulnerability disclosure activities must comply with all applicable federal, state, and local laws. For parties who conduct security research and vulnerability disclosure activities following this policy, we will not initiate or recommend any law enforcement or civil lawsuits related to such activities. In case of any law enforcement or civil action brought by anyone other than us, we will take reasonable steps to make known that the activities of the affected parties were conducted according to and in compliance with this policy. To the extent that any security research or vulnerability disclosure activity involves any third party’s networks, systems, information, applications, products, or services, the third party may independently determine whether to pursue legal action or remedies related to such activities. We do not authorize, permit, or otherwise allow, expressly or impliedly, anyone to engage in any illegal activity. Any party participating in an action inconsistent with this policy or applicable law may be subject to criminal or civil liabilities.
This policy applies to the following systems and services:
- Websites operated by us.
- Software applications made available by us for use on or through computers and mobile devices.
- Our social media pages and applications.
Any system or service not expressly listed above, such as any connected systems or services, is excluded from scope and is not authorized for testing. Additionally, vulnerabilities found in systems owned or controlled by third parties fall outside the scope of this policy. They should be reported directly to the third party according to their policies.
Though we develop and maintain other Internet-accessible systems or services, we ask that active research and testing be conducted only on the systems and services covered by the scope of this policy.
Security research and vulnerability disclosure activities conducted under this policy must be limited exclusively to:
- Testing to detect a potential vulnerability or to identify an indicator related to a potential vulnerability.
- Sharing information with us related to a potential vulnerability.
- Receiving information from us related to a potential vulnerability.
Parties who conduct security research and vulnerability disclosure activities under this policy must not harm, including without limitation:
- Exploiting any security vulnerability beyond the minimal testing required to demonstrate that a potential vulnerability exists. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems or services.
- Intentionally accessing, modifying, or deleting the content of any communications, data, or information transiting or stored on our systems or services.
- Compromising the privacy or safety of our employees, clients, or any third parties.
- Intentionally compromising the intellectual property or other interests of IEM, our employees, clients, or any third parties.
- Posting, transmitting, uploading, linking, sending, executing, or storing any malicious software.
- Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages.
- Testing in a manner that would degrade, disrupt, or damage the operation of any systems or services, including, without limitation, executing or attempting to execute a denial of service attack.
- Performing physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or another non-technical vulnerability testing.
Reporting parties may submit a report via e-mail to email@example.com. The report must include the following:
- Product or service name, Uniform Resource Locator, or affected version information.
- Operating system of the components involved.
- Version information.
- Detailed technical description of what actions were being performed and the results.
- Sample code that was used to assess or demonstrate the vulnerability.
- Reporter’s contact information.
- Other parties involved.
- Threat/risk assessment details of the identified threats or risks, including a risk level (high, medium, low) for assessment results.
- Software configuration of the computer or device configuration when discovering the vulnerability.
- Relevant information about connected components and devices if vulnerability arises during interaction (when a secondary component or device triggers the vulnerability, these details should be provided).
- Time and date of discovery.
- Browser information, including type and version information.
Enough detail must be provided to allow us to reproduce the vulnerability. Following the establishment that a vulnerability exists or any encounter with sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party):
- Stop all testing.
- Notify us immediately as described below.
- Do not disclose the vulnerability or data to any other party.
Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from us will deem the submission as non-compliant. We may choose not to pursue, contact, or otherwise interact with parties who decline to identify themselves when making the report. We will deal with reporting parties who comply with this policy in good faith. We may disregard submissions by parties who submit a high volume of low-quality reports.
By submitting information to us through this process, the reporting party agrees that submission of the information does not create any rights for the reporting party, that such information will be considered to be non-confidential and non-proprietary to the reporting party, and that we will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating the reporting party or in any other way obligating us. By submitting a vulnerability, the reporting party acknowledges that they have no expectation of payment and expressly waive any future pay claims against IEM related to their submission. We reserve the right to modify the terms of this policy at our sole discretion and at any time.