Vendr Responsible Disclosure Policy

Purpose

Data security is a top priority for Vendr, and Vendr believes that working with skilled security researchers can help to identify weaknesses in any technology. If you believe you've found a security vulnerability in Vendr's service, please notify us using the contact method mentioned below; we will work with you to resolve the issue promptly. Thank you for helping to keep Vendr and our users safe.
‍

Policy

• If you believe you've discovered a potential vulnerability, please let us know by emailing us at security@vendr.com. We will acknowledge your email within three business days.
  ‍
• Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third-party. We aim to resolve critical issues within five business days of disclosure.
  ‍
• Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Vendr service. Please only interact with accounts you own or for which you have received explicit permission from the account holder.
  ‍
• Do not exploit vulnerabilities, e.g., by downloading/accessing more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting, or modifying data. If a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability. If you encounter any high-risk data during testing, such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information, cease testing and submit a report immediately.
  ‍
• Do not store, share, compromise, or destroy Vendr or any Vendr data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Vendr (security@vendr.com). This step protects any potentially vulnerable data, and you.
  ‍
• Do not engage in any activity that violates: (a) federal or state laws or regulations; or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
  ‍
• All information relating to vulnerabilities that you become aware of through the Responsible Disclosure Program is considered confidential ("Confidential Information"). You agree to refrain from disclosing Confidential Information publicly or to any third party and that any Vendr information that you may encounter, view, acquire, or access, is owned by Vendr or its customers, clients, or third party providers. You have no rights, title, or ownership in any such information. You agree to honor any request from our Security Team to promptly return or destroy all copies of Confidential Information and all notes related to the Confidential Information.
  ‍
• Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.
  ‍
• Any unauthorized activity outside the terms of this policy, including violations of or failure to follow our policies (Responsible Disclosure Policy, Terms of Services, Privacy Policy, etc), may be subject to legal action pursuant to applicable laws, regulations, agreements, and company policies. If, at any time, you have concerns or are uncertain whether your security research is consistent with the terms of this program, stop testing and contact security@vendr.com.
  ‍
• Email communication between you and Vendr, including without limitation, emails you send to Vendr reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to Vendr shall be considered non-proprietary. Vendr, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. Further, Vendr and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to Vendr for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting Vendr a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.
  

Exclusions

While researching, we request you to refrain from:

• Distributed Denial of Service (DDoS)
• Spamming
• Social engineering or phishing of Vendr employees, contractors, or suppliers
• Any attacks against Vendr's physical property or data centers
• Any attacks that will significantly interrupt or degrade the Vendr service

Bug Bounties

At this time, Vendr does not offer a paid bug bounty program.
‍

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://vendr.com/disclosure.
‍

Contact

Vendr is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@vendr.com.
‍

Responsibility

The CTO is responsible for ensuring this policy is followed.
‍

Versioning