Forward Thinking Systems prioritizes the security of our customers, colleagues and partners by safeguarding their data. We recognize the significance of collaborating with independent experts, global industry bodies, partners, and the broader global community to pinpoint potential technological flaws. This Vulnerability Disclosure Policy (this “VDP”) aims to provide security researchers a clear framework for vulnerability detection processes and outlines our preferred methods for vulnerability reporting to us.
This policy specifies which systems and research areas fall are covered, how to report vulnerabilities to Forward Thinking Systems, and states our requested timeframe for security researchers to hold off on public vulnerability disclosures.
We encourage you to contact us pursuant to this policy to report potential vulnerabilities in our products.
If you make a good faith effort to adhere to this policy during your security research and investigations, we will recognize your research as authorized. We will collaborate with you to promptly address and resolve the issue, and Forward Thinking Systems will refrain from suggesting or seeking legal action in connection to your findings. If a third party launches legal proceedings against you for actions taken under in accordance with this policy, we will make this authorization known.
Under this policy, “research” is defined as activities in which you:
After confirming the presence of a vulnerability or discovering any sensitive data (such as personal identification details, financial information or records, or any third party's proprietary information or trade secrets), you must stop all tests, notify us immediately, and refrain from sharing this data with anyone else.
When reporting issues, please omit any sensitive or personal information (such as personal identification details, financial information or records, or any third party's proprietary information or trade secrets) in any evidence provided.
You may only access and interact with accounts you own or accounts where you have explicit permission from the account holder(s). The methods employed to examine or validate an issue should be in line with what is generally considered reasonable and in good faith, such as, including without limitation:
If a vulnerability is discovered, the researcher must provide a detailed summary of the vulnerability, including (but not limited to) the following:
We accept vulnerability reports submission via email to [email protected]. Reports may be submitted anonymously if necessary. If you share contact information with us, we will acknowledge receipt of your report within three business days.
By submitting a vulnerability, you acknowledge that any potential reward is at the discretion of Forward Thinking Systems, that you have no expectation of compensation and that you expressly waive any future pay claims against Forward Thinking Systems.
To help us address and prioritize vulnerability submissions, we recommend that your vulnerability reports:
If you choose to share your contact information with us, we will commit to coordinating with you as quickly and openly as possible.
Questions regarding this policy may be sent directly to [email protected]. We also invite you to contact us with suggestions for improving this policy.
Non-Disclosure Agreement: Any details about vulnerabilities that you discover must be treated as confidential to Forward Thinking Systems. You commit to not publicly share, or disclose to any external parties (excluding Forward Thinking Systems), any of confidential data or sensitive information without receiving prior written consent from Forward Thinking Systems’ Information Security team. Should the Forward Thinking Systems’ Information Security team request, you agree to immediately return or destroy any and all copies of such confidential data, as well as any related notes.
You must comply with all applicable laws, rules, and regulations (including those local to you) with respect to your activities related to Forward Thinking Systems’s VDP. If a reward is approved, rewards will not be issued to you if you are (a) on a US Government list of restricted or sanctioned individuals or affiliated with any restricted or sanctioned entities or (b) in a US (United States) embargoed country.
Forward Thinking Systems reserves the right to modify the terms and conditions of this VDP from time to time and your participation in the VDP Program constitutes acceptance of any and all terms. Please check this policy regularly as we routinely update our VDP terms and eligibility, which are effective upon posting. We reserve the right to cancel this VDP Program at any time.