Vulnerability Disclosure Policy

Golden Software is committed to ensuring the security of our products and services. We value the contributions of security researchers and users who identify and report potential vulnerabilities. This document outlines our vulnerability disclosure program, detailing how to report vulnerabilities and what to expect during the process.

Purpose

The purpose of this program is to provide a clear and structured process for reporting security vulnerabilities to Golden Software. By working together with the security community, we can enhance the security of our software and services, and protect our users.

Scope

This program applies to all actively supported Golden Software products and services. If you believe you have found a security vulnerability, we encourage you to report it to us.

Reporting a Vulnerability

To report a vulnerability, please follow these guidelines:

  1. Provide Detailed Information: Include a detailed description of the vulnerability, including the affected product, version, and steps to reproduce the issue.
  2. Proof of Concept (PoC): If possible, provide a Proof of Concept or exploit code to help us understand and verify the vulnerability.
  3. Contact Information: Include your contact information so we can reach you for further clarification or updates.

Please send your vulnerability reports to admin-security@goldensoftware.com.

What to Expect

Once you submit a vulnerability report, you can expect the following:

  1. Acknowledgement: We will acknowledge receipt of your report within 2 business days.
  2. Investigation: Our security team will investigate the reported vulnerability and verify its validity.
  3. Updates: We will keep you informed of the progress of our investigation and any planned fixes.
  4. Disclosure: We may publicly disclose the vulnerability after a fix has been released and users have had time to update. We will credit the reporter unless they prefer to remain anonymous.

Out of Scope

The following types of reports are considered out of scope for this program:

  • Reports of vulnerabilities that have already been publicly disclosed.
  • Reports of vulnerabilities that do not have a security impact.
  • Reports of social engineering attacks.

Safe Harbor

Golden Software acknowledges and appreciates the efforts of security researchers who responsibly disclose vulnerabilities in our products. To encourage good-faith reporting, Golden Software hereby states that it will not initiate or pursue legal action (including but not limited to claims of copyright infringement, circumvention of technological measures, and computer fraud and abuse acts) against individuals who:

  • Discover and report vulnerabilities in good faith and in compliance with this Vulnerability Disclosure Program.
  • Do not intentionally cause harm to Golden Software, its users, or its systems during their research.
  • Provide us with sufficient details to reproduce and address the vulnerability.

This safe harbor is limited to the vulnerability discovery and reporting process as outlined in this policy and does not extend to any unlawful activities or actions beyond the scope of legitimate security research. Golden Software reserves all rights to pursue legal action against individuals who act maliciously, exploit discovered vulnerabilities, or otherwise act in bad faith.

Legal

Golden Software reserves the right to modify the terms of this program at any time. Participation in this program does not grant you any rights or claims against Golden Software.

We appreciate your contributions to improving the security of Golden Software products and services.