Vulnerability Disclosure Policy
Updated: March 3, 2025
Introduction
Extrian Security Corp. welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security concerns in any of our assets, we want to hear from you. This policy outlines the steps for reporting vulnerabilities to us, what we expect from you, and what you can expect from us.
Systems in Scope
This policy applies to any digital assets owned, operated, or maintained by Extrian Security Corp.
Out of Scope
Assets or other equipment not owned by parties participating in this policy.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
Our Commitments
When working with us under this policy, you can expect us to:
Respond to your report promptly and work with you to understand and validate your findings.
Keep you informed about the progress of a vulnerability as it is processed.
Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
Extend Safe Harbor for your vulnerability research as it relates to this policy.
Our Expectations
To participate in our vulnerability disclosure program in good faith, we ask that you:
Adhere to this policy and any other relevant agreements. If any inconsistency arises between this policy and other applicable terms, this policy will prevail.
Report any discovered vulnerabilities promptly.
Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.
Use only the Official Channels to discuss vulnerability information with us.
Provide us with a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before publicly disclosing it.
Conduct testing only on in-scope systems and respect out-of-scope systems and activities.
If a vulnerability provides unintended access to data:
Limit the amount of data accessed to the minimum required for effectively demonstrating a Proof of Concept.
Cease testing and submit a report immediately if user data such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information is encountered.
Interact only with test accounts you own or accounts for which you have explicit permission from the account holder.
Do not engage in extortion.
Official Channels
Please report security issues via email to:
security@extrian.com
Providing detailed information will help us triage and resolve the issue more efficiently.
Safe Harbor
When conducting vulnerability research under this policy, we consider your research to be:
Authorized under any applicable anti-hacking laws. We will not initiate or support legal action against you for accidental, good-faith violations of this policy.
Authorized under any relevant anti-circumvention laws, and we will not bring a claim against you for the circumvention of technology controls.
Exempt from restrictions in our Terms of Service (TOS) and Acceptable Usage Policy (AUP) that would interfere with legitimate security research. We waive these restrictions on a limited basis.
Lawful, helpful to overall security, and conducted in good faith.
You are expected to comply with all applicable laws. If legal action is initiated by a third party against you, and you have adhered to this policy, we will take steps to clarify that your actions were conducted in compliance with this policy.
If you have concerns or are unsure whether your security research aligns with this policy, please submit a report through one of our Official Channels before proceeding further.
Note: The Safe Harbor applies only to legal claims under the control of Extrian Security Corp. and does not bind independent third parties.
