Our primary focus is on vulnerabilities that:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Please email all submissions to firstname.lastname@example.org. Your submission should include any steps required to reproduce or exploit the vulnerability. Please allow time for triage and the vulnerability to be fixed before discussing any findings publicly. After receiving a submission, Civic Technologies will make a best effort to provide a timely first response. We’ll try to keep you informed about our progress throughout the process.
To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Civic Technologies and our users safe!