1Strike Security Policy

Overview

1Strike is deeply committed to the security of the products and services we deliver to our customers and welcomes feedback from customers, security researchers, and the general public to help us improve security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues relating to 1Strike products and services, we want to hear from you. We only ask that you abide by our Responsible Disclosure policy and processes and provide 1Strike with the opportunity to investigate, resolve, and mitigate any confirmed security issues prior to public disclosure. This policy outlines the steps for performing compliant testing, reporting vulnerabilities to us, what we expect, and what you can expect from us.

Systems in Scope

This policy applies to 1Strike products and services we deliver to our customers and the information contained within the networks, systems, and applications used to deliver those products and services. As our products are operational systems supporting our customers, vulnerability research associated with these products and services must be authorized by the owner, operator, licensee and/or subscription holder of the system or service being tested and must follow the ground rules and expectations outlined in this policy. For on-premise deployments of 1Strike products and services, testing must be authorized and approved by the licensee and/or subscription holder for the products being tested. For cloud-based (Software-as-a-Service) deployments and supporting services, vulnerability research must be authorized and approved by 1Strike. All other networks, systems, information, applications, products, or services owned, operated, or leased by 1Strike are considered out of scope with respect to this policy.

Our Commitments

When working with us, according to this policy, you can expect us to:

• Respond to your report promptly, and work with you to understand and validate your report;
• Strive to keep you informed about the progress of a vulnerability as it is processed;
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints;
• Recognize your contribution should your efforts result in discovery of unique vulnerabilities within 1Strike products and services; and
• Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations

In participating in our vulnerability disclosure program in good faith and to minimize risk to our customers, employees, and company, we ask that you:

Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;

Only perform security research on in-scope systems with the express permission of the owner, operator, licensee and/or subscription holder of the system being tested. Employees of a company may not use their company access, license, test accounts, and/or subscription to 1Strike products and services to perform independent security research.

Avoid using social engineering attacks, physical security attacks, and/or denial of service attacks in association with your research;

Avoid violating the privacy of others, disrupting our systems or the systems supporting our customers, exposing or destroying data, and/or harming user experience;

Use the communications mechanisms outlined below to promptly report vulnerability information to us. Information related to vulnerabilities shall be treated as confidential information, and not disclosed to third parties or publicly disclosed without express written consent from 1Strike. 1Strike will consider a submission noncompliant if the submission is publicly disclosed without our written consent;

Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue and ensure our customers are protected before any information about the vulnerability is made public;

Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;

If a vulnerability provides unintended access to data, cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, and/or sensitive or proprietary information;

Do not engage in extortion; and

1Strike customers are encouraged to use the 1Strike Help Center for submitting information to us about vulnerabilities you have discovered.

Safe Harbor

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;

Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;

Exempt from restrictions in our End User Licensing Agreement and Software-as-a-Service Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis; and

Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws and not to disrupt or compromise any data beyond what is permitted by this policy.

Please contact us at security@1Strike.io before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action will be a significant factor in that decision.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy. If your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third-party action based on your actions.

Reporting Security Findings to Us

1Strike customers are encouraged to use the 1Strike Help Center for submitting information to us about vulnerabilities, privacy issues, exposed data, or other security issues you have discovered.

Security researchers and the general public (or anyone else without a 1Strike Help Center account) are encouraged to contact us at security@1Strike.io to report any vulnerabilities, privacy issues, exposed data, or other security issues you have discovered. Once contacted, we will work with you to establish a secure communications channel and provide you with instructions on how to submit the information we will need to properly assess your security findings.