Responsible Disclosure Policy
- Approved on: December 2021
- Next Scheduled Review: December 2022
This Responsible Disclosure Policy outlines Lean’s expectations in relation to security researchers safely reporting found vulnerabilities to Lean regarding Lean’s websites, dashboards and portals.
At Lean Technology, we take the security of our systems seriously and we value the ongoing efforts of the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our End-users.
This Responsible Disclosure Policy (the “Policy”) applies to the Lean Technologies group of companies (hereafter collectively referred to as “Lean”). It outlines the steps to be followed by persons visiting, exploring and/or using any of Lean’s websites including mobile applications, dashboards and portals (the “Lean Systems”) upon encountering a security vulnerability or weakness.
Please note that whilst we are appreciative of any disclosure made to us relating to a potential security vulnerability or weakness, we do not currently offer any bug bounty programme which entitles the security researcher to claim any payment or reward for their efforts and for reporting the security vulnerability.
2. How to report a security vulnerability?
If you believe you have identified a potential security vulnerability in a Lean System, kindly report your findings promptly to Lean by emailing firstname.lastname@example.org. Please include the following details with your report:
- description of the location and potential impact of the vulnerability;
- a detailed description of the steps required to reproduce or validate the vulnerability (proof of concept, scripts and screenshots are helpful);
- your name/handle and a link to contact you; and make the report in English, if possible.
Notwithstanding any other requirements under applicable laws, we require that all security researchers:
keep information about any vulnerabilities you’ve discovered confidential between yourself and Lean until we’ve had at least 90 days from the date we have acknowledged your report to resolve the issue; and
make every effort to avoid violating privacy in the country you are based, destroying data (including personal data), interrupting or degrading the Lean Systems and/or causing a degradation of End-user experience.
3. Matters outside the scope of testing
In the interest of the safety of our End-users, employees and you as a security researcher, the following is excluded from the scope of any testing:
- modifying or accessing data (including personal data) that does not belong to you;
- initiating a network level distributed denial-of-service (DDoS) attack i.e. a malicious attempt to disrupt the normal traffic of the Lean Systems by overwhelming our infrastructure with a flood of internet traffic;
- spamming the Lean Systems;
- findings derived from social engineering or phishing of Lean, our employees, contractors and other affiliates;
- any non-technical vulnerability testing;
- information concerning UI and UX bugs, and spelling mistakes;
- conducting any attacks against Lean’s physical property or data centres, including findings from physical testing such as office access (e.g. open doors, tailgating etc.); and/or
- submitting a high volume of low-quality reports.
4. Engaging with Lean
When you share a security vulnerability report and your contact information with Lean, we commit in good faith to coordinate with you as openly and as quickly as reasonably possible to:
- acknowledge that your report has been received; and
- confirm the existence of the vulnerability and to be as transparent as we may reasonably be (whilst protecting the interests of our business) about what steps Lean is taking to remediate the issue, including any challenges that may delay our resolution of the issue.
Whilst we are committed to continually improving the Lean Systems and addressing any vulnerabilities identified to us, any such findings which may relate to our testing environments (i.e. our sandbox and/or other test systems) will be treated as low priority. We will not provide details of a timeline to resolve such issues.
5. Contact Us
For any questions or comments concerning this Policy please contact us at email@example.com.