Vulnerability Disclosure Policy
Forward Thinking Systems prioritizes the security of our customers, colleagues and partners by safeguarding their data. We recognize the significance of collaborating with independent experts, global industry bodies, partners, and the broader global community to pinpoint potential technological flaws. This Vulnerability Disclosure Policy (this “VDP”) aims to provide security researchers a clear framework for vulnerability detection processes and outlines our preferred methods for vulnerability reporting to us.
This policy specifies which systems and research areas fall are covered, how to report vulnerabilities to Forward Thinking Systems, and states our requested timeframe for security researchers to hold off on public vulnerability disclosures.
We encourage you to contact us pursuant to this policy to report potential vulnerabilities in our products.
If you make a good faith effort to adhere to this policy during your security research and investigations, we will recognize your research as authorized. We will collaborate with you to promptly address and resolve the issue, and Forward Thinking Systems will refrain from suggesting or seeking legal action in connection to your findings. If a third party launches legal proceedings against you for actions taken under in accordance with this policy, we will make this authorization known.
Under this policy, “research” is defined as activities in which you:
- Notify us as soon as possible after you discover a potential or real security issue.
- Make every effort to prevent breaches of privacy, degradation of user experience, any disruption to production systems, and the manipulation or destruction of data.
- Only use exploits to the extent that is necessary to confirm that a vulnerability is present. Do not use an exploit to compromise or exfiltrate data, establish access to a system, or otherwise use the exploit to pivot to other systems.
- Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a substantial volume of low-quality reports.
After confirming the presence of a vulnerability or discovering any sensitive data (such as personal identification details, financial information or records, or any third party's proprietary information or trade secrets), you must stop all tests, notify us immediately, and refrain from sharing this data with anyone else.
When reporting issues, please omit any sensitive or personal information (such as personal identification details, financial information or records, or any third party's proprietary information or trade secrets) in any evidence provided.
You may only access and interact with accounts you own or accounts where you have explicit permission from the account holder(s). The methods employed to examine or validate an issue should be in line with what is generally considered reasonable and in good faith, such as, including without limitation:
- Do not cause potential or actual damage to our systems, applications, or users. For example, deploying brute force attacks to gain access to our applications, products, or services. DDOS or any other disruptive testing.
- Automated scraping and fuzzing or conducting large or blind scans using automation tools are strictly prohibited.
- Do not perform attacks that target data centers, partners, affiliates, and / or personnel property.
- Do not conduct social engineering activity (e.g., phishing, smishing, vishing), to gain access to any Forward Thinking Systems personnel, colleague, application, product, or service.
- Do not exploit a vulnerability (known or otherwise) to view unauthorized or corrupt data. When validating exfiltration, please test only the minimum amount necessary to demonstrate or validate the issue. Refrain from downloading any more data than absolutely necessary to demonstrate the issue or modifying or deleting any data.
If a vulnerability is discovered, the researcher must provide a detailed summary of the vulnerability, including (but not limited to) the following:
- Clear descriptions of the vulnerability and its potential impact;
- Product name, version, and configuration of any software or hardware that may be potentially affected;
- Step-by-step directions to reproduce the issue;
- A proof-of-concept; and suggested remediation or mitigation steps, as appropriate.
We accept vulnerability reports submission via email to [email protected]. Reports may be submitted anonymously if necessary. If you share contact information with us, we will acknowledge receipt of your report within three business days.
By submitting a vulnerability, you acknowledge that any potential reward is at the discretion of Forward Thinking Systems, that you have no expectation of compensation and that you expressly waive any future pay claims against Forward Thinking Systems.
What we would like to see from your submission
To help us address and prioritize vulnerability submissions, we recommend that your vulnerability reports:
- Describe the location that the vulnerability was discovered and the potential impact of using the exploit.
- Offer a thorough description of the steps needed to reproduce the vulnerability (screenshots or proof of concept scripts are recommended).
- Are disclosed in English, if possible.
What can you expect from us
If you choose to share your contact information with us, we will commit to coordinating with you as quickly and openly as possible.
- We will acknowledge that your vulnerability report has been received within 3 business days.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as open as possible about our remediation process, including the issues or challenges that may delay a resolution.
- We will endeavor to maintain an open dialogue to discuss the issue(s).
Questions regarding this policy may be sent directly to [email protected]. We also invite you to contact us with suggestions for improving this policy.
Non-Disclosure Agreement: Any details about vulnerabilities that you discover must be treated as confidential to Forward Thinking Systems. You commit to not publicly share, or disclose to any external parties (excluding Forward Thinking Systems), any of confidential data or sensitive information without receiving prior written consent from Forward Thinking Systems’ Information Security team. Should the Forward Thinking Systems’ Information Security team request, you agree to immediately return or destroy any and all copies of such confidential data, as well as any related notes.
You must comply with all applicable laws, rules, and regulations (including those local to you) with respect to your activities related to Forward Thinking Systems’s VDP. If a reward is approved, rewards will not be issued to you if you are (a) on a US Government list of restricted or sanctioned individuals or affiliated with any restricted or sanctioned entities or (b) in a US (United States) embargoed country.
Forward Thinking Systems reserves the right to modify the terms and conditions of this VDP from time to time and your participation in the VDP Program constitutes acceptance of any and all terms. Please check this policy regularly as we routinely update our VDP terms and eligibility, which are effective upon posting. We reserve the right to cancel this VDP Program at any time.