Responsible Vulnerability Disclosure Policy

Resgrid is committed to ensuring the privacy and security of our customers and their data. We believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.

Introduction

Resgrid welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

Systems in Scope

This policy applies to any digital assets owned, operated, or maintained by Resgrid. Including, but not limited to the following:

Resgrid Websites

  • resgrid.com
  • app.resgrid.com

    • Resgrid End User Apps

  • dispatch.resgrid.com
  • bigboard.resgrid.com
  • responder.resgrid.com
  • unit.resgrid.com

    • Resgrid API

  • api.resgrid.com

    • Resgrid Source Code

  • Resgrid Core
  • Resgrid Dispatch
  • Resgrid BigBoard
  • Resgrid Unit
  • Resgrid Responder
  • capacitor-plugin-resgrid
  • ngxresgridlib
  • Resgrid ApiClient
  • Resgrid Email Processor
  • Resgrid Relay

    • Systems out of Scope

    Assets or other equipment not owned by parties participating in this policy.

  • blog.resgrid.com
  • status.resgrid.com
  • resgrid.freshstatus.io
  • resgrid.zohodesk.com
  • support.resgrid.com
  • docs.resgrid.com

    • Our Commitments

    When working with us, according to this policy, you can expect us to:

  • Respond to your report as soon as we can, and work with you to understand and validate your report.
  • Strive to keep you informed about the progress of a vulnerability as it is processed.
  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
  • Extend our Safe Harbor for your vulnerability research that is related to this policy.

    • Please understand we are a small, but dedicated team. We take security seriously but need to balance that with our priorities as well.

    Compensation

    At this time Resgrid does not have a budget to compensate for security vulnerabilities reported. Instead we will highlight your work and link to your profile via our Hall Of Fame.

    Our Expectations

    In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
  • Report any vulnerability you’ve discovered promptly.
  • Provide us a reasonable amount of time (at least 180 days from the initial report) to resolve the issue before you disclose it publicly.
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • You should only interact with test accounts you own or with explicit permission from the account holder.
  • Do not distribute inappropriate or illegal content on Resgrid servers or services.
  • Do not engage in extortion.

    • Performing your research

    Do not impact other users with your testing, this includes testing vulnerabilities in projects or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.

    The following are never allowed and are ineligible for Hall of Fame recognition:

  • Performing distributed denial of service (DDoS) or other volumetric attacks.
  • Spamming content.
  • Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.

    • Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.

    Handling personally identifiable information (PII)

    Personally identifying information (PII) includes:

  • Legal and/or full names.
  • Names or usernames combined with other identifiers like phone numbers or email addresses.
  • Health or financial information (including insurance information, social security numbers, etc.).
  • Information about political or religious affiliations.
  • Information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes.

    • Do not intentionally access others’ PII. If you suspect a service provides access to PII, limit queries to your own personal information.

    Report the vulnerability immediately and do not attempt to access any other data. We will assess the scope and impact of the PII exposure.

    Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned.

    You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your recognition in the Responsible Disclosure Hall of Fame.

    We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability.

    Official Channels

    Please report security issues via security@resgrid.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

    Safe Harbor

    When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

    • You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

    If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

    Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.