Vulnerability Disclosure Policy
Introduction
natif ai welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
natif ai welcomes the chance to hear from good faith security researchers, who are conducting or conduct security research under these VDP guidelines.
natif ai welcomes the chance to hear from good faith security researchers, who are conducting or conduct security research under these VDP guidelines.
Test methods
The following test methods are not authorized or considered good faith/authorized research:
– Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
– Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
– Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
– Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
Scope
This policy applies to the below digital assets owned, operated, or maintained by Natif ai.
– natif.ai
– client.natif.ai
– api.natif.ai
Any other service, such as any connected services, are excluded from scope and are not authorized for testing.
– natif.ai
– client.natif.ai
– api.natif.ai
Any other service, such as any connected services, are excluded from scope and are not authorized for testing.
Out of scope
Assets or other equipment not owned by parties participating in this policy.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
Our commitments
– Within 5 business days, we will acknowledge that your report has been received.
– Work with you to understand and validate your report.
– We will maintain an open dialogue to discuss issues.
– Strive to keep you informed about the progress of a vulnerability as it is processed.
– Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints
– Work with you to understand and validate your report.
– We will maintain an open dialogue to discuss issues.
– Strive to keep you informed about the progress of a vulnerability as it is processed.
– Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints
Our expectations
In participating in our vulnerability disclosure program in good faith, we ask that you:
– Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
– Report any vulnerability you’ve discovered promptly;
– Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
– Use only the Official Channels to discuss vulnerability information with us;
– Provide us a reasonable amount of time (at least from the initial report) to resolve the issue before you disclose it publicly;
– Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
– Reports should be in English, if possible.
– Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
– If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
– You should only interact with test accounts you own or with explicit permission from the account holder; and
– Do not engage in extortion.
– Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
– Report any vulnerability you’ve discovered promptly;
– Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
– Use only the Official Channels to discuss vulnerability information with us;
– Provide us a reasonable amount of time (at least from the initial report) to resolve the issue before you disclose it publicly;
– Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
– Reports should be in English, if possible.
– Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
– If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
– You should only interact with test accounts you own or with explicit permission from the account holder; and
– Do not engage in extortion.
Reporting a vulnerability
natif.ai accepts vulnerability reports at security@natif.ai
Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.
natif ai will not offer payment or compensation for good faith research.
Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.
natif ai will not offer payment or compensation for good faith research.
Safe harbor / authorization
We consider activities conducted consistent with this policy to constitute “authorized” access under anti-hacking laws. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.