Vulnerability Disclosure Policy
Data security is a top priority for Polytomic, and Polytomic believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you've found a security vulnerability in Polytomic’s service, please notify us; we will work with you to resolve the issue promptly
Disclosure Policy
- If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@polytomic.com. We will acknowledge your email within 7 days
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within 90 days of disclosure.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Polytomic service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
Exclusions
While researching, we’d like you to refrain from:
- Distributed Denial of Service (DDoS)
- Spamming
- Social engineering or phishing of Polytomic employees or contractors
- Any attacks against Polytomic’s physical property or data centers
Thank you for helping to keep Polytomic and our users safe!
Safe Harbor
Polytomic strongly supports security research into our products and wants to encourage that research.
As a result, we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with this Vulnerability Disclosure Policy, or for any accidental or good faith violation of this policy. This includes any claim under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.
As long as you comply with this policy:
- We consider your security research to be "authorized" under the Computer Fraud and Abuse Act,
- We waive any restrictions in our applicable Terms of Service that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.
We understand that many Polytomic systems and services are interconnected with third-party systems and services. While we can authorize your research on Polytomic's systems and services, and promise that Polytomic will not bring or threaten litigation against you for your efforts under this policy, we cannot authorize efforts on third-party products or guarantee they won’t pursue legal action against you. However, if a third party threatens or brings any legal action against you for your efforts under this policy, we are willing to make clear—to the Court, the public, or otherwise--that we authorized your efforts to test and research the security of Polytomic's eligible systems and services.
If you’re not sure whether your conduct complies with this policy, please contact us first at security@polytomic.com and we will do our best to clarify.
Changes
We may revise these guidelines from time to time. The most current version of the guidelines will be available at www.polytomic.com/vulnerability-disclosure.