Responsible Disclosure Policy

At HexGuard, we take security very seriously. Despite our best efforts to secure our systems, vulnerabilities may still exist. We appreciate the security community's help in identifying potential security vulnerabilities through responsible disclosure. This policy provides guidelines for security researchers who wish to report vulnerabilities to us, and outlines our commitment to addressing these issues promptly and transparently.

This Responsible Disclosure Policy applies to the following systems and services: - Any web application or service under the *.hexguard.net domain - HexGuard mobile applications - HexGuard hardware products and their associated firmware - HexGuard API endpoints Out of scope: - Third-party services or applications that HexGuard uses but does not own - Infrastructure not managed directly by HexGuard (such as cloud provider infrastructure) - Physical security of HexGuard offices or facilities

If you believe you've found a security vulnerability in any HexGuard-owned system, we ask that you: 1. Report the vulnerability to us as soon as possible via [email protected] or through our HackerOne program 2. Provide detailed information about the vulnerability, including steps to reproduce it 3. Allow us reasonable time to address the issue before disclosing it publicly 4. Make a good faith effort to avoid privacy violations, service disruptions, data destruction, or other issues that could harm our users Please do NOT: - Access, modify, or exfiltrate data that doesn't belong to you - Engage in any activity that could negatively impact HexGuard services (such as DoS attacks or spamming) - Use techniques that might damage data or disrupt services

When you submit a vulnerability report, we commit to: 1. Acknowledge receipt of your vulnerability report within 48 hours 2. Provide an initial assessment of the report within 5 business days 3. Keep you informed about our progress addressing the issue 4. Work with you to understand and validate the issue 5. Remediate verified vulnerabilities in a timely manner, depending on complexity 6. Publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)

We consider security research conducted under this policy to be: - Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) - Exempt from DMCA anti-circumvention prohibitions - Exempt from restrictions in our Terms of Service that would prohibit testing for vulnerabilities - Exempt from any similar laws or regulations that restrict security research We will not pursue civil action or initiate a complaint to law enforcement for security research conducted in good faith and in accordance with this policy. We consider activities conducted in a manner consistent with this policy to constitute "authorized" conduct under the CFAA. Please note that if your security research involves the networks, systems, or data of a third party, that third party may determine whether to pursue legal action. HexGuard cannot authorize security testing on behalf of third parties.

We believe in transparency and value the work of security researchers. Our policy on public disclosure is as follows: 1. We request that you allow us sufficient time to investigate and address any vulnerabilities before public disclosure 2. We generally suggest a disclosure timeline of 90 days after we've acknowledged your report 3. If you would like to be recognized for your finding, we will credit you in our security acknowledgments page with your permission 4. In the case of complex vulnerabilities that require more time to address, we may request an extended disclosure timeline We are committed to working with researchers to understand and address security vulnerabilities promptly.

We value the contributions of security researchers and offer the following recognition for responsible disclosures: 1. Public acknowledgment on our security hall of fame (with your permission) 2. HexGuard swag for qualifying reports 3. For significant findings, we may offer rewards or bounties based on the severity and impact of the vulnerability The reward amount is determined at our discretion based on: - The severity of the vulnerability - The quality of the report and reproduction steps - The impact on our users and systems We maintain our HackerOne program for coordinating bounty payments and researcher recognition.