August 24, 2021
VentureWell takes protecting our customers’ data seriously and that starts with being transparent about our security practices. Providing a method for security researchers to responsibly report vulnerabilities is essential for that transparency.
If you believe you have found a security vulnerability related to the VentureWell website, please let us know. We will investigate legitimate reports and do our best to fix valid issues. Your report should include a detailed description of your discovery with clear, concise, reproducible steps or a working proof-of-concept. You can submit your report by emailing firstname.lastname@example.org.
OUR COMMITMENT TO RESEARCHERS
If you responsibly report a vulnerability in accordance with this policy, we will:
- Promptly respond to acknowledge the receipt of your report.
- Provide an estimated timeframe for addressing the vulnerability.
- Notify you when the vulnerability has been remediated.
Your report will be sent to the VentureWell Security team, and will remain non-public while it is
investigated. Once a report has been validated a decision will be made by the VentureWell
Security team regarding whether the vulnerability will be made public.
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that
- Share the security issue with us in detail;
- Please be respectful of our existing applications. Spamming forms through automated
vulnerability scanners is explicitly out of scope;
- Do not access or modify our data or our users’ data, without explicit permission of the
owner. Only interact with your own accounts or test accounts for security research
- Contact us immediately if you do inadvertently encounter user data. Do not view, alter,
save, store, transfer, or otherwise access the data, and immediately purge any local
information upon reporting the vulnerability to VentureWell;
- Act in good faith to avoid privacy violations, destruction of data, and interruption or
degradation of our services (including denial of service); and
- Otherwise comply with all applicable laws.
We will not negotiate in response to duress or threats (e.g. we will not pay a bounty under threat
of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the
TARGETS IN SCOPE
- Any action that may negatively affect VentureWell or our users (ex. spam, brute force, DoS)
- Accessing data that you are not the owner of
- Destroying or corrupting data
- Social engineering VentureWell personnel or our customers
- Attacks requiring MITM or physical access to a user’s device
- Violating any laws or agreements
We may modify the terms of this policy at any time.
OWNERSHIP AND REVIEW
This document is owned by the VentureWell Security Team.
This document shall be reviewed on an annual basis.