Responsible Disclosure Policy - Sevanta Systems Corporation

Last modified: February 5, 2022

Sevanta Systems Corporation ("Sevanta") is committed to working with security researchers to verify and address reported vulnerabilities. Please review these terms before you test and/or report a vulnerability. Sevanta pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.

Scope: This policy is related to servers addressible as sevanta.com and mydealflow.com and its subdomains, unless fully administered by a third party (e.g.- if Google is hosting mail service for these domains, the Google hosts/services are not covered by this policy).

Contact: Upon discovery of a vulnerability, security researchers must cease testing and notify us immediately at:

Guidelines

We request that you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Do not submit a high volume of low-quality reports.
• Only use exploits to the extent necessary to confirm a vulnerability's presence.

Specifics

The following conduct is expressly prohibited:

1. Performing actions that are likely to disrupt, impair, disable, or negatively affect Sevanta or its users, especially any activity that might result in Denial of Service or resource exhaustion.
2. Destroying, corrupting, altering, exfiltrating, retaining, or rendering inaccessible any data.
3. Establishing persistent presence.
4. Using knowledge of a vulnerability to blackmail or extort Sevanta or its users.

Disclosure: We require that you refrain from sharing information about discovered vulnerabilities for 60 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible. We will not share names or contact data of security researchers unless given explicit permission.

Please contact us prior to conducting research if you are unsure if a specific test method is inconsistent with or unaddressed by this policy. We also invite security researchers to contact us with suggestions for improving this policy.