Contact: mailto: security@gopigment.com
Expires: 2025-01-00T00:00:00.000Z
Preferred-Languages: en,fr
Canonical: https://pigment.app/.well-known/security.txt
Canonical: https://pigment.app/security.txt

# PIGMENT'S VULNERABILITY DISCLOSURE POLICY

Security is one of Pigment's fundamentals. We highly value the time and effort invested in good faith by security researchers in helping us build a more secure platform for our partners and users. As such, we encourage the responsible disclosure of vulnerabilities related to Pigment's products, web properties and APIs. This Policy sets out the rules under which we expect the research and reporting of vulnerabilities to be conducted, as well as what you can expect from us in return.

If you are a security researcher and have discovered a security vulnerability in our platform, we appreciate your help in disclosing it to us in a responsible manner.

If you would like to report a security issue such as a vulnerability or an incident, you may do so with an email addressed to security@gopigment.com.


## Ground rules

In order to avoid any confusion between good-faith security research and fraudulent or malicious behaviors, we ask you to comply with the following rules when looking for, testing and reporting vulnerabilities:

- Take all reasonable measures to only interact with test accounts you have created on the platform;
- Do not use physical attacks, social engineering, distributed denial of service, spam
- Do not engage in security testing of the third party products and services that are leveraged by Pigment for the performance of its own service ;
- If you manage to gain unauthorized access to any data or systems, limit the amount of data or privileges you gain access to, to only the minimum required for effectively demonstrating a proof of concept. Also, cease testing and submit a report immediately if you encounter any personally identifiable information or proprietary information during testing ;
- Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience;
- Report any vulnerability you've discovered promptly (i.e. within days, not weeks). Do not take advantage of the vulnerability or problem;
- Only use the specified communication channels listed above to discuss or report vulnerability information to us and provide sufficient information so we will be able to resolve the vulnerability as quickly as possible ;
- Do not disclose vulnerabilities you've discovered to the public or to any third party until we have formally authorized you to do so in writing;
- Obviously do not engage in any fraudulent exploitation of the vulnerability, in any form, with us, our partners or our users.


## Communication

If you think you've found a vulnerability, please do not publicly disclose these details outside of this process without explicit permission. Please do your best to include with your report the following details and be as descriptive as possible:

- The exact location (vulnerable URLs and parameters) and the nature of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (screenshots, screen recordings, and proof-of-concept scripts are all helpful if applicable)
- A relevant example attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.


## Expectations

When working with us according to this Policy, you can expect us to:

- Acknowledge or dismiss the finding and work to remedy acknowledged vulnerabilities in a timely manner;
- Handle your report with confidentiality and respect written requests for anonymity.
- On a case by case basis, credit you for the finding


## Legal Matters

When conducting vulnerability research in good faith and in accordance with the terms specified in this Policy, we consider this research to be:

- Lawful and in accordance with applicable state laws relating to computer fraud. We will not bring any claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms of Use only to the extent that they would interfere with conducting security research.

We won't take legal action against, suspend, or terminate access to our platform for those who discover and report security vulnerabilities responsibly. Pigment reserves all of its legal rights in the event of any noncompliance.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through the above mentioned communication channel before going any further.

Last updated: January 20, 2022