Security is our highest priority. We appreciate your participation in this program as the disclosure of security vulnerabilities enhances our security program to protect data and the privacy of our users.
This document outlines the requirements of participation, as well as our commitments to you.
By participating in this program, you agree to the following:
Will not engage in any activity that may reasonably cause or actually cause harm to Bluescape, our customers, or our employees.
Will not engage in any activity that may reasonably interrupt or disable or or degrade Bluescape services or assets.
Will not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
Will not store, share, compromise or destroy data.
Will not share or process any information that may be linked to an individual, Personally Identifiable Information (PII). If PII is encountered, you will immediately halt your activity, purge related data from your system, and immediately contact Bluescape.
Will use best efforts to comply with industry best practices to avoid any of the following: conflicts with privacy or security regulations or best practices, degradation of user experience, disruption to production systems, and destruction of data during security testing.
Will only perform research within the scopes outlined in writing by Bluescape.
Will use the identified communication channels to promptly report vulnerability information to Bluescape.
Keep information about any vulnerabilities you’ve discovered strictly confidential for the later of a minimum of 90 days from reporting or until Bluescape confirms in writing that the issue has been resolved.
By follow these requirements, we commit to:
Not pursue or support any legal action related to your research;
Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.