Security Research Policy

Purpose

StackAware works with security researchers and ethical hackers to identify vulnerabilities in Artificial Intelligence systems and models. This policy establishes how StackAware identifies and handles such vulnerabilities and how we disclose findings about them.

Scope

This policy applies to non-StackAware instances of systems or models (“In-Scope Assets”) maintained by vendors, authors, or other providers (“In-Scope Vendors”). StackAware instances of given systems and models are covered under the StackAware Vulnerability Disclosure Program (VDP).

Policy

Identification

When ethically hacking In-Scope Assets, we:-> Comply with the In-Scope Vendor’s Vulnerability Disclosure Policy (or similar) (“VDP”) if it is publicly available.-> If an In-Scope Vendor’s public terms and conditions explicitly prohibit attempts to discover vulnerabilities, we will not target any such covered systems or models.-> Follow industry-standard ethical hacking best practices and comply with applicable laws.

Disclosure

When we identify a potential vulnerability an In-Scope Asset (“Potential Vulnerability”), StackAware:-> Will inform the In-Scope Vendor.-> Will inform all StackAware customers using instances of the In-Scope Asset. StackAware customers are under an obligation of confidentiality with StackAware.-> May disclose a Potential Vulnerability publicly under the following conditions:
– The In-Scope Vendor agrees;
– There is credible evidence of active exploitation;
– The In-Scope Vendor has not responded to StackAware’s notification within 90 days; or
– Doing so is essential for protecting the privacy, safety, or security of StackAware, its customers, or the public interest.
– Otherwise required by applicable law.-> Upon confirmation from an In-Scope Vendor that it does not consider a Potential Vulnerability to actually be security vulnerability, reserves the right to publicly document the issue (“Public Documentation”). In-Scope Vendors will have 7 days to comment on the Public Documentation prior to release, but do not have veto authority because StackAware considers Public Documentation outside the scope of the relevant VDP.

Questions

StackAware is aware of malicious actors pretending to operate under the guise of "responsible disclosure" efforts. It can thus be difficult to determine what is a legitimate disclosure and what is the start of a social engineering scam.Thus, please contact [email protected] if you have any questions about this policy or would like to verify our identity.