#Vulnerability Disclosure Program Policy

##Policy Upgrade is committed to maintaining the security of our systems and our customers’ information. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to Upgrade Inc.

During testing, please do not conduct denial-of-service (DoS) or resource-exhaustion attacks. If you believe you have identified a potential security vulnerability, please submit it pursuant to our Responsible Disclosure Program. Thank you in advance for your submission.

Please note, Upgrade does not operate a public bug bounty program; while we appreciate your efforts to find and report potential security vulnerabilities, we make no offer of reward or compensation in exchange for submitting potential issues at this time.

##Program Guidelines Researchers shall disclose potential vulnerabilities to Upgrade in accordance with the following guidelines:

• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
• Do not store, share, compromise or destroy Upgrade or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Upgrade. This step protects any potentially vulnerable data, and you.
• Do not engage in any activity that can potentially or actually cause harm to Upgrade, our customers, or our employees.
• Do not engage in any activity that can potentially or actually stop or degrade Upgrade services or assets.
• Do not initiate a fraudulent financial transaction.
• Do not conduct denial-of-service (DoS) or resource-exhaustion attacks;
• Provide Upgrade reasonable time to fix any reported issue, and do not disclose any reported issues publicly or to any third party without Upgrade’s express consent. Upgrade will consider any request from a researcher to make a public disclosure but reserves the right to deny such disclosure requests.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issue is considered out of scope:

• Brute Forcing user-accounts/ rate-limiting on the login page

By responsibly submitting your findings to Upgrade in accordance with these guidelines Upgrade agrees not to pursue legal action against you. Upgrade reserves all legal rights in the event of noncompliance with these guidelines. Once a report is submitted, Upgrade will endeavor to provide prompt acknowledgment of receipt of all reports (typically within two business days of submission) and to keep you reasonably informed of the status of any validated vulnerability that you report through this program.

##Submission Format When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).