RESPONSIBLE VULNERABILITY DISCLOSURE POLICY

COMMITMENT TO PRIVACY & SECURITY

At Scripta Insights, Inc. (“Scripta Insights”), we are committed to creating and maintaining a secure, private, and safe environment for our customers. The privacy, security, and safety of our customers is our top priority and we strive to maintain the trust and confidence that our customers place in our company. Scripta Insights recognizes and values the vital role that that the information security community and independent security researchers play in assisting us in keeping our products, services, and technology secure. If you are a security researcher and discover a vulnerability, we sincerely thank you for your help in disclosing it to us in a secure and responsible manner.

RESPONSIBLE DISCLOSURE

Scripta Insights will engage with security researchers when vulnerabilities are reported to us in accordance with our Responsible Vulnerability Disclosure Policy (our “Policy”). Our Policy applies to any public-facing system owned, operated, or controlled by Scripta Insights. This Policy describes how to responsibly inform us of a potential security vulnerability and our guidelines for the security researchers who participate in our vulnerability disclosure process. Reports submitted to Scripta Insights in good faith and pursuant to this Policy, will be handled appropriately and kept confidential where permitted by law. 

GUIDELINES

Security researchers must adhere to the following:

  • All applicable laws and regulations. 

  • This Policy. 

  • Our Terms of Use.

  • Report all vulnerabilities promptly. 

  • Avoid violating the privacy of any individuals. 

  • Communicate with us in a secure manner as described below. 

  • If a vulnerability provides unintended access to data, security researchers are required to limit the amount of data accessed to the minimum required for effectively demonstrating a proof of concept, and to cease testing and submit a report immediately if any customer data during testing, such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or proprietary information is discovered or encountered.

The following activities are not permitted:

  • The performance of disruptive testing such as load or performance testing, including Denial of Service attacks, attacks or actions that attempt to interfere with the confidentiality, integrity, availability, or operation of our websites, mobile applications, platform, and/or software. If you notice that any action you have taken degrades the performance of our systems, immediately stop. 

  • Social engineering or phishing of our employees or individuals associated with Scripta Insights.

  • The altering of any of the content on our websites, applications, or social media accounts. 

  • Retaining any of our customer’s data that was accessed as a result of any vulnerability testing. 

  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software. 

  • Conducting testing that results in the transmission of unsolicited, junk, spam, or unauthorized e-mails.

  • Testing any third-party applications, websites, or services that integrate with or link to our website, applications, or services. 

  • The testing of any physical office access (doors, tailgates, windows, metal detectors…etc.).

  • The attempted or actual alteration of account privileges or login credentials.  

  • Extortion.

HOW TO REPORT

  • Please promptly share the details of the potential security vulnerability with our team by e-mailing us at responsible-disclosure@scriptainsights.com. Please note that this e-mail address is intended only for the purposes of reporting potential vulnerabilities and not for technical support or for information on our products or services. 

  • In your e-mail, please provide the time, date, operating system, platform and browser used, and other details sufficient to enable us to reproduce the vulnerability. 

  • To ensure confidentiality, we ask that you encrypt any sensitive information you send us via e-mail. 

  • Please do not disclose the issue to the public or any third party, until we have had a reasonable opportunity to assess, understand, validate, and resolve the vulnerability and we have communicated to you in writing that you may disclose this issue.

  • We will attempt to review and respond to your report as soon as possible. 

  • After your e-mail is received, a member of our team may follow up with you to discuss your report. 

OUR PROMISE

Scripta Insights will work to understand and verify vulnerabilities and any potential impact. If we believe that the privacy, security, or safety of our customer’s information is impacted, we will work to develop a solution and take all actions we deem appropriate. We reserve the right to determine or delay the release of any advisory or to not issue an advisory at all. All aspects of this Policy and process are subject to change without notice. There is no guaranteed response or action for any specific type or class of issue reported.