Thank you for helping us keep our software safe and secure. We value the security community and the important work you do. This document outlines our approach to handling security vulnerabilities.

If you believe to have discovered a potential vulnerability relating to Form3's systems, please responsibly disclose your findings to our team using the the following mailbox:

responsible.disclosure@form3.tech

When reporting a vulnerability, we request that you:

• Provide detailed information:** Including a description of the vulnerability and the areas/software/versions affected.
• Technical details: This should include a non-disruptive, proof of concept with relevant screenshots, code snippets and other materials that will help us to further understand the problem. This will help us triage your report swiftly and accurately.
• Exercise patience: Please allow us a reasonable time to investigate and response to your report before making any public disclosures. We will aim to keep you informed of our progress.
• Act in good faith: Avoid any actions that could disrupt services or compromise data for our users.

• We will acknowledge the receipt of your vulnerability report as soon as possible.
• We will work diligently to investigate and provide updates on the reported vulnerability in a timely manner.
• If you are willing we will collaborate with you to validate and understand the full impact of the vulnerability.
• If appropriate, we will release security patches or updates to address the reported vulnerability, which you will be notified of and in some cases you may be invited to confirm that the solution covers the vulnerability you have raised.
• We may choose to publicly acknowledge your responsible disclosure, if you are agreeable. If you are we would like to unify our release with you so please continue to coordinate with us.

We highly appreciate any responsible disclosures presented to us in good faith, in accordance to this we ask that: You must not:

• Break any applicable law or regulations.
• Access unnecessary, excessive or significant amounts of data.
• Modify data in the Organisation's systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
• Disrupt the Organisation's services or systems.
• Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with "best practice", for example missing security headers.
• Submit reports detailing TLS configuration weaknesses, for example "weak" cipher suite support or the presence of TLS1.0 support.
• Communicate any vulnerabilities or associated details other than by means described in the published security.md.
• Social engineer, "phish" or physically attack the Organisation's staff or infrastructure.
• Demand financial compensation in order to disclose any vulnerabilities.

You must:

• Always comply with data protection rules and must not violate the privacy of any data the Organisation holds. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Organisation or partner organisations to be in breach of any legal obligations.

Thank you for your commitment to keeping our software secure!