Vulnerability Disclosure Policy
At RecordPoint, we take the security of our systems, products, and services seriously. We value the contributions of the security community in helping us maintain the highest standards of cybersecurity. If you have discovered a vulnerability in any of our systems, we encourage you to report it to us so that we can take the necessary steps to resolve the issue promptly.
Reporting a Vulnerability
If you believe you have identified a security vulnerability in one of our systems, please follow these steps to report it:
- Contact us: Send an email to trust@recordpoint.com with the subject line "Vulnerability Report." Provide a detailed description of the vulnerability, including:
- The product, service, or system affected.
- Steps to reproduce the vulnerability.
- Any potential impact on users or data.
- Any suggestions for how we can address the issue.
- Do not disclose publicly: We kindly request that you refrain from publicly disclosing any information about the vulnerability until we have had the opportunity to investigate and resolve it.
- Work with us: We are committed to collaborating with you to understand and resolve the issue. We will confirm receipt of your report within 72 hours and work to provide an estimated timeline for remediation. During this process, we may reach out for additional information or clarification.
Our Commitment
- We will respond to your vulnerability report in a timely manner and keep you informed of the status of our remediation efforts.
- We aim to address confirmed vulnerabilities swiftly, based on the severity and potential impact on our users.
- We will credit your discovery unless you prefer to remain anonymous.
- No legal action will be taken against those who follow this responsible disclosure process in good faith.
Out of Scope
While we appreciate all efforts to improve our security, certain types of vulnerabilities may be out of scope for this program, including:
- Reports related to outdated browsers or plugins.
- Denial of Service (DoS) vulnerabilities.
- Social engineering attacks.
Safe Harbor
Any vulnerability disclosures made in compliance with this policy will be considered authorized conduct. We will not pursue legal action for security research conducted under these guidelines. However, this policy does not provide indemnity for actions that are unlawful or that violate other agreements with our company.
Contact
If you have any questions about this policy, please contact us at trust@recordpoint.com.