Responsible Disclosure Policy

August 24, 2021
Version 1.0

POLICY

VentureWell takes protecting our customers’ data seriously and that starts with being transparent about our security practices. Providing a method for security researchers to responsibly report vulnerabilities is essential for that transparency.

REPORTING

If you believe you have found a security vulnerability related to the VentureWell website, please let us know. We will investigate legitimate reports and do our best to fix valid issues. Your report should include a detailed description of your discovery with clear, concise, reproducible steps or a working proof-of-concept. You can submit your report by emailing responsible-disclosure@venturewell.org.

OUR COMMITMENT TO RESEARCHERS

If you responsibly report a vulnerability in accordance with this policy, we will:

  • Promptly respond to acknowledge the receipt of your report.
  • Provide an estimated timeframe for addressing the vulnerability.
  • Notify you when the vulnerability has been remediated.

VULNERABILITY DISCLOSURE

Your report will be sent to the VentureWell Security team, and will remain non-public while it is
investigated. Once a report has been validated a decision will be made by the VentureWell
Security team regarding whether the vulnerability will be made public.

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that
you:

  • Share the security issue with us in detail;
  • Please be respectful of our existing applications. Spamming forms through automated
    vulnerability scanners is explicitly out of scope;
  • Do not access or modify our data or our users’ data, without explicit permission of the
    owner. Only interact with your own accounts or test accounts for security research
    purposes;
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter,
    save, store, transfer, or otherwise access the data, and immediately purge any local
    information upon reporting the vulnerability to VentureWell;
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or
    degradation of our services (including denial of service); and
  • Otherwise comply with all applicable laws.

We will not negotiate in response to duress or threats (e.g. we will not pay a bounty under threat
of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the
public).

TARGETS IN SCOPE

Target Eligible Ineligible
VentureWell website venturewell.org *.venturewell.org

 

PROHIBITED ACTIONS

  • Any action that may negatively affect VentureWell or our users (ex. spam, brute force, DoS)
  • Accessing data that you are not the owner of
  • Destroying or corrupting data
  • Social engineering VentureWell personnel or our customers
  • Attacks requiring MITM or physical access to a user’s device
  • Violating any laws or agreements

MODIFICATION

We may modify the terms of this policy at any time.

OWNERSHIP AND REVIEW

This document is owned by the VentureWell Security Team.
This document shall be reviewed on an annual basis.

By continuing to use the site, you agree to the use of cookies. Read More