Responsible Disclosure Policy

Last updated: October 13th, 2022

Repositax maintains a Responsible Disclosure Policy (RDP) scoped to particular assets as identified below. You can contact us for more information or to report vulnerabilities security@repositax.com.

Policy Scope

Repositax’s Responsible Disclosure Policy covers the following products:

• Repositax’s core platform, including the Repositax web application (https://app.repositax.com/) and public APIs (if any)

The scope of this policy may expand in the future as we add additional product capabilities and gain experience with this process.

Terms

Repositax will not engage in legal action against individuals who submit vulnerability reports to security@repositax.com in accordance with this policy. We openly accept reports for the Repositax products identified above. We agree not to pursue legal action against individuals who:

• Engage in testing of systems/research without harming Repositax or its customers.
• Engage in vulnerability testing within the scope of this Responsible Disclosure Policy.
• Adhere to the laws of their location and the location of Repositax.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.‍

Submitting a Vulnerability

Submit vulnerability reports to Repositax’s Security Team via security@repositax.com.

‍

Report Prioritization and Acceptance Criteria

Preference will be given to reports that meet the following criteria:

• • Well-written reports in English will have a higher probability of resolution
  • Proof-of-concept code is provided when applicable
  • Reports that include only crash dumps or other automated tool output may receive lower priority
  • Reports that include products not on the initial scope list may not be considered
  • Include how you found the bug, the impact, and any potential remediation
  • Please include any plans or intentions for public disclosure

What you can expect from Repositax:

• • A timely response to your email (within 3 business days)
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it
  • An open dialog to discuss issues
  • Credit after the vulnerability has been validated and fixed

Repositax reserves the right to use a neutral third party to assist in determining how best to handle the vulnerability.