We aim to acknowledge new reports within a reasonable business window, investigate in good faith, and keep you informed as we triage and remediate. We do not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, or interruption of service.
- Stop testing and notify us as soon as a vulnerability is confirmed.
- Do not exploit the issue beyond what is needed to demonstrate it, and do not retain customer data.
- Give us a reasonable opportunity to remediate before public disclosure.
This page describes our intent for good-faith handling and does not create any contractual or legal commitment beyond that.