Empathy First Media Security Vulnerability Disclosure Policy
Last Updated: January 7, 2024
Introduction
At Empathy First Media, we prioritize the security of our systems and data. We recognize the valuable role that security researchers and our user community play in keeping our systems secure. This policy provides guidelines for submitting security vulnerabilities to us and outlines our commitment to working with security researchers.
Scope
This policy applies to any digital assets owned, operated, or maintained by Empathy First Media.
How to Report a Security Vulnerability
If you believe you have found a security vulnerability in one of our systems, please send us a detailed report to [email protected]
. Your report should include:
- A clear description of the vulnerability and potential impact.
- Detailed steps to reproduce the vulnerability (Proof of Concept scripts or screenshots can be helpful).
- Any relevant URLs or affected systems.
- Your contact information for follow-up.
For secure communication, our PGP key is available at PGP Key Link.
What to Expect After Reporting a Vulnerability
- Acknowledgment: We aim to acknowledge receipt of your report within 48 hours.
- Assessment: We will work to validate and assess the vulnerability.
- Communication: We will keep you informed of our progress.
- Remediation: Once assessed, we will work swiftly to address the issue.
- Disclosure: We are committed to responsible disclosure and will coordinate with you regarding public disclosure of the vulnerability.
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized concerning any anti-hacking laws.
- Exempt from DMCA violations related to circumventing technological measures.
- Exempt from violations of the Computer Fraud and Abuse Act.
We will not pursue legal action against individuals who report vulnerabilities, provided they adhere to this policy. We ask that you:
- Do not access or modify data without permission.
- Avoid degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Acknowledgments
Security researchers who follow this policy and responsibly disclose vulnerabilities will be recognized on our Acknowledgments page: Hall of Fame Link.
Contact Us
For any questions regarding this policy, please contact [email protected]
.