Risk Ledger Ltd Vulnerability Disclosure Policy (VDP)

As a security company, we have a commitment to providing a secure and trusted platform to our users. We value security researchers and others who keep a watchful eye and responsibly disclose security issues.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

This policy applies to any digital assets owned, operated, or maintained by Risk Ledger Ltd.

• HTTPS / TLS security headers suggestions
• SPF /  DMARC /  DKIM /  DNSSEC suggestions
• Banner/version disclosure
• Social engineering  /  phishing  /  spam
• Services, assets or other equipment not owned by you or Risk Ledger.
  • Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

‍

When working with us, according to this policy, you can expect us to:

• Respond to your report promptly, and work with you to understand and validate your report;
• Strive to keep you informed about the progress of a vulnerability as it is processed;
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
• Extend Safe Harbour for any Risk Ledger additional vulnerability research that is related to this policy.

‍

In participating in our vulnerability disclosure program in good faith, we ask that you:

• Do not disclose the vulnerability outside of the VDP;
• Do not violate any laws;
• Do not disrupt services (DoS/DDoS);
• Do not access, modify, or destroy any accounts or data that does not belong to you;
• Do not engage in extortion;
• Report any vulnerability you’ve discovered promptly;
• Use only the Official Channel to discuss vulnerability information with us;
• Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue;
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), or proprietary information; and
• You should only interact with test accounts you own or with explicit permission from the account holder.

‍

Please report security issues via security@riskledger.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

Risk Ledger may authorise and invite you to conduct additional research based on your initial disclosure. When conducting such additional Risk Ledger authorised vulnerability research within the agreed, defined scope, according to this policy:

• We consider this research exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis;
• You are expected, as always, to comply with all applicable laws and Our Expectations set out above; and
• You must not involve or cause impact to any third party operations or violation of any third party Terms or Service.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please stop and contact us through our Official Channel before going any further.

Note that this Safe Harbour applies only to legal claims under the control of the organisation participating in this policy, and that the policy does not bind independent third parties.

‍