Responsible Disclosure Policy
Table of Contents
01. Purpose
At Geopera, we are deeply committed to maintaining the security of our platform and the data of our users. We recognize that a collaborative approach with the security research community is invaluable in achieving this goal. This Responsible Disclosure Policy is designed to provide guidelines for security researchers who discover potential vulnerabilities in our systems and wish to report them to us in a responsible and ethical manner. We encourage you to help us protect our users and systems by responsibly reporting any security issues you may find.
02. Scope
This policy applies to vulnerabilities found within systems that are owned, operated, and controlled by Geopera. This generally includes our main geospatial platform, websites, APIs, and related online services that are accessible to the public. While we appreciate researchers helping us improve our security, this policy does not extend to systems that are explicitly out of scope, such as third-party services we integrate with, or systems not directly under Geopera's control. If you are unsure whether a system falls within the scope, please contact us for clarification before proceeding with testing.
03. Reporting Vulnerabilities
If you believe you have discovered a security vulnerability, we ask that you report it to us promptly. To help us efficiently assess and address your report, please provide as much of the following information as possible:
Detailed Description: Clearly describe the vulnerability, its potential impact, and where it is located. Include the type of vulnerability (e.g., cross-site scripting, SQL injection).
Reproduction Steps: Provide clear, step-by-step instructions on how to reproduce the vulnerability. Proof-of-concept code or scripts are often helpful.
Affected Systems/URLs: Specify the systems or URLs that are affected by the vulnerability.
Supporting Evidence: Attach any relevant screenshots, screen recordings, or logs that can help us understand and validate the vulnerability.
Please send your reports to our dedicated security team at [email protected].
04. Responsible Research Guidelines
We encourage responsible and ethical security research. To ensure your research is considered "good faith" under this policy, we ask that you adhere to the following guidelines:
Focus on Scope: Limit your testing to systems explicitly identified as in-scope in this policy.
Minimize Impact: Conduct your research in a way that minimizes disruption to our services and users. Avoid any actions that could degrade, disrupt, or damage our systems or data.
Report Privately: Report vulnerabilities directly to us at [email protected] and avoid disclosing the vulnerability to the public or third parties until we have had a reasonable opportunity to address it.
No Data Harm: Do not intentionally access, modify, or disclose sensitive data that is not your own. If access to sensitive data occurs incidentally during your research, cease testing immediately and include this in your report.
Avoid Harmful Activities: Refrain from engaging in activities that are malicious or disruptive, including but not limited to: denial-of-service attacks, social engineering, phishing, or extortion.
Respect Privacy: Respect the privacy of our users. Do not attempt to access user accounts or private information.
05. Our Commitment to Researchers
We deeply appreciate the efforts of security researchers who contribute to improving Geopera's security posture. When you submit a vulnerability report that adheres to this policy, you can expect the following from us:
Prompt Acknowledgement: We will acknowledge receipt of your report within two business days.
Timely Communication: We will keep you informed about the progress of our investigation and remediation efforts.
Vulnerability Remediation: We are committed to validating and addressing reported vulnerabilities in a timely manner.
Recognition (Optional): With your permission, we are happy to publicly acknowledge your contribution to Geopera's security.
Safe Harbor Protection: Researchers who follow this policy will be considered to be conducting authorized research and will be afforded safe harbor as detailed below.
06. Safe Harbor Promise
We consider security research conducted under this policy to be authorized. We will not initiate or support legal action against researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. We believe that when you conduct security research in good faith, and adhere to the guidelines outlined in this policy, your activities should be protected. We commit to working with you to understand and resolve vulnerabilities reported to us before public disclosure, and we extend this safe harbor to match that commitment.
This safe harbor applies only to vulnerability reports submitted through our official channels and in compliance with this policy. It does not apply to activities that are unlawful, malicious, or conducted for personal gain or public attention.
07. Contact Us
If you have any questions or need further clarification about this Responsible Disclosure Policy, please do not hesitate to contact our security team at [email protected].
08. Policy Updates
Geopera reserves the right to modify or update this Responsible Disclosure Policy at any time. Any changes will be posted on our website, and we encourage you to review this policy periodically. We will date the policy with the latest modification date. For reports submitted prior to a policy update, we will honor the policy that was in effect at the time of submission. In the event of material changes, we will endeavor to notify the security research community.