Groundspeak Vulnerability Disclosure Policy

Overview

Groundspeak, Inc. ("Groundspeak", "we", or "us") will engage with security researchers when vulnerabilities are reported to us in accordance with this Vulnerability Disclosure Policy. We reserve all legal rights in the event of any non-compliance.

Vulnerability Disclosure Philosophy

Groundspeak, Inc. ("Groundspeak", "we", or "us") believes effective disclosure of security vulnerabilities requires mutual trust, respect, and transparency between you as security researchers and us. Together, our vigilant expertise promotes the common good and the continued security and privacy of our customers, products, and services.

Security Researchers

We accept vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers and consultants. We define a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.

Scope

This policy applies to any digital assets owned, operated, or maintained by Groundspeak including public facing websites, listed in Section 1 of our Terms of Use.

Our Commitment to Researchers

Trust. We maintain trust and confidentiality in our professional exchanges with security researchers. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.
Respect. We treat all researchers with respect and recognize your contribution for keeping our customers safe and secure.
Transparency. We will work with you to validate and as necessary remediate reported vulnerabilities in accordance with our commitment to security and privacy.

What We Ask of Researchers

We ask that you…

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
• Provide the details necessary for our team to identify and validate reported issues and provide sufficient time and information for our team to validate and address those issues.
• Do not engage in social engineering against our employees, customers, or infrastructure.
• Do not utilize an exploit to view data without authorization, or compromise the confidentiality or availability of the data or our services and only use exploits to the extent necessary to confirm a vulnerability’s presence.

Additionally, we request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing vulnerabilities.

Vulnerability Reporting

Share the details of any suspected vulnerabilities using the web form below. Please use the form to describe the vulnerability, where it was discovered and the potential impact of exploitation. Our security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate next steps.