VULNERABILITY DISCLOSURE
FrontSpin is committed to ensuring the safety and security of our employees, contractors, customers and others who use our products and services. As part of this commitment, we’ve established a vulnerability disclosure program to provide guidance for our digital products and information systems.
You are encouraged to disclose to us any vulnerability in a FrontSpin digital product, website or web application.
FrontSpin Vulnerability Disclosure Policy
Purpose
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at FrontSpin’s digital products and information systems submitting discovered vulnerabilities to FrontSpin.
Overview
The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and FrontSpin recognizes that fostering a close relationship with the community will help improve our own security.
Information submitted to FrontSpin under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our digital products, networks or applications, or the applications of our vendors.
Scope
Any digital product, public-facing website or web API owned, operated, or controlled by FrontSpin, including web applications hosted on those products and sites.
How to Submit a Report
Please send an email to security@frontspin.com, Include a detailed summary of the vulnerability, including type of issue; digital product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.
By sending this information you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to FrontSpin digital products and information systems, and consent to having the contents of the communication and follow-up communications stored. Any personal information submitted as part of the report, such as your email address, will only be used for the purpose of communicating with you about the report and will not be used for any other purpose. In order to track trends in vulnerabilities, these reports may be held for up to 5 years, after which they will be deleted from our systems and back-ups.
Guidelines
FrontSpin will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
Your activities are limited exclusively to –
- Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- Sharing with, or receiving from, FrontSpin information about a vulnerability or an indicator related to a vulnerability.
- You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- You avoid intentionally accessing the content of any FrontSpin data in transit or data at rest, except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You do not exfiltrate any data under any circumstances.
- You do not compromise the privacy or safety of FrontSpin personnel or any third parties.
- You do not intentionally compromise the intellectual property or commercial interests of any FrontSpin personnel or entities, or any third parties.
- You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from FrontSpin.
- You do not conduct denial of service testing.
- You do not conduct social engineering, including spear phishing, of FrontSpin personnel or contractors.
- You do not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.
What You Can Expect From Us
We take every disclosure seriously and appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
FrontSpin must take extra care while investigating the impact of vulnerabilities and providing a fix, so we ask your patience during this period.
We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the FrontSpin security team and associated development organizations will use reasonable efforts to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Provide an estimated time frame for addressing the vulnerability report
- Notify you when the vulnerability has been fixed
We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at FrontSpin.
Where necessary or if we are unable to resolve communication issues or other problems, FrontSpin may bring in a neutral third party to assist in determining how best to handle the vulnerability.
Legal
You must comply with all applicable International, Federal, State, and local laws, including applicable Data Protection Law in connection with your security research activities or other participation in this vulnerability disclosure program.
FrontSpin does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
You agree that You shall not, without the prior written consent of FrontSpin in each instance (i) use in advertising, publicity or otherwise the name of FrontSpin or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by FrontSpin or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by FrontSpin.
You agree that any and all information, including personal information, acquired or accessed by You as part of this exercise is confidential to FrontSpin and You shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purpose other than for the performance of your work.
If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, FrontSpin will not initiate or recommend any law enforcement or civil lawsuits related to such activities. To the extent that any security research or vulnerability disclosure activity involves the products, networks, systems, information, applications, products, or services of a non-FrontSpin entity (such as a FrontSpin supplier), FrontSpin will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.
FrontSpin may modify the terms of this policy or terminate the policy at any time.