Purpose of the Policy

This Vulnerability Disclosure Policy aims to provide a clear and structured process for reporting potential security vulnerabilities, privacy issues, exposed data, or other security concerns identified in any of our assets. Our goal is to collaborate with the security community and the general public to enhance our assets security and safeguard our users' data.

Scope of the Policy

This policy applies to any vulnerabilities identified in any digital assets owned, operated, or maintained by GuestLabs.

Out of scope

Assets or other equipment not owned by parties participating in this policy are generally considered out of scope for our vulnerability disclosure program.

How to Report

If you believe you have discovered a security vulnerability, please report it to us as follows:

• Contact Information: Send an email to security@guestlabs.com
• Information to Include:
  • Description of the vulnerability and its potential impact.
  • Steps to reproduce the vulnerability.
  • Any available screenshots or proof-of-concept.
  • Your contact information for follow-up (optional).

Acknowledgement of Reports

We will acknowledge receipt of your vulnerability report promptly.

Communication During the Investigation

We will keep you informed of the status of your report as we investigate and address the issue.

Expected Resolution Time

We aim to resolve critical vulnerabilities in a timely manner within our operational constraints. Non-critical issues may take longer, depending on their complexity and impact.

What to Do

• Adhere to this policy and any other relevant agreements. In the event of any conflict between this policy and other applicable terms, this policy will take precedence.
• Report any vulnerability you discover promptly.
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Use only the official channels to discuss vulnerability information with us.
• Provide detailed information to help us understand and reproduce the issue.
• Perform testing only on in-scope systems and respect systems and activities that are out-of-scope.
• If a vulnerability provides unintended access to data:
  • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • Interact only with test accounts you own or have explicit permission to use.

What Not to Do

• Do not publicly disclose the vulnerability before we have had a chance to fix it.
• Do not exploit the vulnerability or use it to access unauthorized data.
• Do not violate the privacy of our users, disrupt our services, or destroy data.
• Do not engage in extortion.

Good Faith Provisions

We consider vulnerability disclosure activities conducted in accordance with this policy to constitute "authorized" conduct concerning any applicable anti-hacking and anti-circumvention laws. Such activities are lawful, contribute to the overall security of the Internet, and we will not pursue legal action against individuals who report vulnerabilities in good faith. Additionally, you are exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would otherwise interfere with conducting security research. We waive these restrictions on a limited basis.

Safe Harbor Clause

To the extent that your activities are consistent with this policy, we consider such activities as authorized, and we will refrain from initiating legal action against you. You are expected to comply with all applicable laws at all times. If a third party initiates legal action against you and you have adhered to this policy, we will take measures to clarify that your actions were conducted in accordance with this policy. If you have any concerns or are unsure whether your security research aligns with this policy, please submit a report through one of our Official Channels before proceeding further.

Please note, the Safe Harbor provision applies solely to legal claims under the control of the organization participating in this policy. This policy does not bind independent third parties.

Handling of Personal Information

Any personal information shared with us in the course of reporting a vulnerability will be handled in accordance with our Privacy Policy and will be used only for the purpose of addressing the security issue.

Anonymity Options

If you prefer to remain anonymous, you can use an anonymous email address or other means to report vulnerabilities.

Coordinated Disclosure Practices

We will coordinate with you to publicly disclose the vulnerability once a fix has been implemented. We believe in responsible disclosure to protect our users.

Credit and Recognition for Reporters

If you wish, we will credit you for your discovery in our security advisories. Please let us know how you would like to be recognized.

Right to Amend Policy

We reserve the right to amend this policy at any time. When we make changes, we will update the policy on our website.

Notification of Changes

Significant changes to this policy will be communicated via our website or other appropriate channels.

Dedicated Security Email Address

security@guestlabs.com