Vulnerability Disclosure Policy

Purpose

This Policy sets forth the terms and conditions governing the conduct by security researchers of all vulnerability discovery activities directed at the networked information systems of Credo.ai, including web properties, and submitting discovered vulnerabilities to Credo.ai. If questions arise, please take no action until you have discussed that action is discussed with an authorized security representative Credo.ai.

Overview

Maintaining the security of our connected systems and software is a high priority at Credo.ai. Recognizing that the broader security research community regularly makes valuable contributions to the security of the Internet, Credo.ai believes that a close relationship with this community will also improve our security. If you have information about a vulnerability, please contact us at security@credo.ai.

Any information submitted to Credo.ai under this program will be used to mitigate or remediate vulnerabilities in our networks or applications, or in the applications of our vendors. 

Please review program terms and conditions carefully. By participating in the Credo.ai’s vulnerability disclosure program, conducting any testing of Credo.ai networks  or systems and prior to submitting a report, you agree to abide by these new terms and conditions. 

Scope

Publicly accessible information systems or web properties owned, operated, or controlled by Credo.ai.

How to Submit a Report

We accept vulnerability reports via security@credo.ai. Reports may be submitted anonymously. If you share contact information, we will try to acknowledge receipt of your report within 3 business days. Please provide a detailed summary of the vulnerability including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue;  potential impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By clicking “Submit Report,” or emailing us with a report, you are indicating that you have read, understand, and agree to the terms and conditions of the program for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to the Credo.ai information systems, and that you consent to having the contents of the communication and follow-up communications used by Credo.ai.

Guidelines

Credo.ai will deal in good faith with security researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these terms and conditions:

  • Your activities are limited exclusively to –
  • (1) Testing, through remote means, to detect a vulnerability or identify an indicator related to a vulnerability; and
  • (2) Sharing information solely withCredo.ai or receiving information fromCredo.ai about a vulnerability or an indicator related to a vulnerability.
  • You will do no harm and will not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • You will avoid intentionally accessing the content of any communications, data, or information transiting or stored on a Credo.ai information system or systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists. An information system is set of information resources for collecting, processing, maintaining, using, sharing, disseminating of information.
  • You will not exfiltrate any data under any circumstances.
  • You will not intentionally compromise the privacy or safety ofCredo.ai personnel, customers or any third parties.
  • You will not intentionally compromise the intellectual property or other commercial or financial interests of anyCredo.ai personnel, customers or any third parties.
  • You will not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written authorization from Credo.ai.
  • If, during your research, you are inadvertently exposed to information that the public is not authorized to access, you will effectively and permanently erase all identified information in your possession as directed by Credo.ai and report to Credo.ai that you have done so.
  • You will not conduct denial of service testing.
  • You will not conduct physical testing (e.g. office access, open doors, tailgating) or social engineering, including spear phishing, concerningCredo.ai personnel or contractors.
  • You will not submit a high-volume of low-quality reports.
  • If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

We take every disclosure seriously. We will investigate every disclosure and we will strive to ensure that appropriate steps are taken to mitigate risk and remediate all reported vulnerabilities.

Legal

This policy does not grant authorization, permission, or otherwise allow express or implied access to Credo.ai information systems to any individual, group of individuals, consortium, partnership, or any other business or legal entity. However, if a security researcher working in accordance with the terms and conditions of this VDP program discloses a vulnerability, then: (1) Credo.ai will: (1) not initiate or recommend any law enforcement action or civil lawsuits related to such activities against that researcher, and (2) inform the pertinent law enforcement agencies or civil plaintiffs that the researchers activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of this program.

You must otherwise comply with all applicable Federal, State, and local laws in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the program or the law. If you engage in any activities that are inconsistent with the terms and conditions of the program or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability.

Credo.ai may modify the terms and conditions or terminate the program at any time.