Vulnerability Disclosure Policy

Vulnerabilities Discovered by Horizon3.ai

When we discover vulnerabilities in third-party software, hardware, or services, we abide by the following policy with regards to coordinated disclosure. The aim of this policy is to provide vendors and project maintainers a reasonable amount of time to address reported issues, which will later be publicly disclosed in an effort to provide customers and the wider security community with the actionable information they need to secure their environments.

Disclosure Process

Initial Contact:

  • We will make a good-faith effort to obtain a security contact with the vendor. 
  • If a contact is unable to be obtained within two weeks of the initial contact attempt, we may proceed directly to public disclosure. 

Private Disclosure: 

  • We will provide the security contact with any and all information required to reproduce our discoveries.
  • If any of our customers are affected by a discovered issue, we may provide them with limited information regarding the potential exposure so that they may implement any necessary mitigations while awaiting a fix.

Timeline: 

  • We operate with the industry-standard 90-day disclosure timeline, which begins on the day details of the issues are sent to a security contact.
  • If it is discovered that a disclosed issue is under active exploitation, we may forgo the 90-day timeline in favor of an expedited 7-day timeline.

Communication: 

  • We expect regular status updates from the security contact regarding reported findings. 
  • Once a fix or patch is close to being ready for release, we will begin coordinating a date and time to release our mutual advisories (if applicable).
    • Please note, the release of any sort of patch, fix, or other information regarding the reported issue will be considered public disclosure.
  • If applicable, we will reserve and assign CVE identifiers for reported findings and communicate these to the security contact in advance of public disclosure.
  • If at any point the security contact becomes consistently unresponsive or is deemed to be acting in bad faith, we may proceed directly to public disclosure.

Public Disclosure: 

  • Once the timeline ends or a fix has been implemented, whichever comes first, we may publish technical details of our findings publicly to help our customers and the community understand and mitigate the risk.

We (Horizon3.ai) reserve the right to deviate from this policy for any reason that we deem appropriate. 

 

Vulnerabilities Reported to Horizon3.ai

If you believe you’ve found a vulnerability in one of our products, services, or infrastructure, we encourage you to share it with us. We welcome all good-faith reports.

How to Report

If you are a Horizon3.ai customer, please contact your support representative. Otherwise, please send reports to support@horizon3.ai. Reports should include the following information:

  • The products and services affected and any pertinent version information
  • A clear description of the issue and its impact
  • Steps that can be taken to reproduce the issue independently
  • Any other relevant artifacts such as screenshots, proof of concepts, etc.

Please include your full report in the body of the email as all attachments will be stripped. If any artifacts are too large or inconvenient to include in the report, please let us know and we will provide you with a private upload link for secure transmission.

Our Process

Acknowledgment:

  • We aim to acknowledge and respond to reports in a timely manner. 

Assessment: 

  • We’ll verify and assess the issue and its impact.
  • Once verified, we’ll begin implementing fixes as necessary.

Communication: 

  • We’ll do our best to keep you informed and updated throughout the disclosure process. 
  • We’ll request any clarification as needed.

Timeline: 

  • We aim to resolve verified issues within 90 days of submission.
  • If additional time is needed, we’ll make the request as soon as possible.

Disclosure

We prefer to coordinate public disclosure with researchers once a fix or mitigation is available. In some cases, we may need to request additional time. We’ll do our best to make this request as soon as we become aware of the need. If we don’t plan to fix a reported issue, we’ll let you know.

For verified reports, we will…

  • … publish security advisories when relevant.
  • … reserve and assign any relevant CVE identifiers prior to publication.

We will make no efforts to prevent researchers from disclosing their findings publicly so long as we have been given a reasonable opportunity and timeframe to fix any reported issues. If you intend to disclose your findings publicly, we may ask for an advance copy of your report, blog, or article so that we may prepare for potential questions from our customers or the community. 

Appendix A

Vulnerability Disclosure Program — Legal Terms

  1. Authorization

    • By participating in this program, you agree to abide by the terms outlined herein.

    • We authorize good-faith, responsible security research strictly in accordance with this policy. Activities conducted under this policy will be considered authorized, provided they are conducted responsibly, avoid privacy violations, data destruction, or service disruption, and comply with all applicable laws.

  2. Safe Harbor Provision

    • If you comply with this policy while conducting your security research, we will not initiate legal action against you. We will consider your research to be authorized, and we will work with you to understand and remediate the issue.

    • We will not pursue legal action against you for accidental, good-faith violations of this policy. However, this safe harbor provision does not extend to actions that are reckless, negligent, or performed in bad faith.

    • Please note that this safe harbor applies only to legal claims under our control and does not bind independent third parties or governmental authorities.

  3. Limitation of Liability

    • To the fullest extent permitted by applicable law, you acknowledge and agree that our company is not liable: UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (i) DIRECT DAMAGES; (ii) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (iii) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (iv) LOSS OF GOODWILL OR REPUTATION; (v) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, LOSS OR  BREACH OF DATA OR SYSTEM SECURITY OR SYSTEM DOWNTIME AS A RESULT OF YOUR SECURITY TESTING ACTIVITIES.

  4. Confidentiality and Reporting

    • Vulnerability reports submitted through this process will be treated as confidential information “Confidential Information”), which shall be defined as any information disclosed or accessed during or as a result of the security testing.

    • You acknowledge that any personal data inadvertently accessed during testing must be immediately reported to us and shall be deemed Confidential Information and not used for any purpose.

    • Premature public disclosure of security testing information, including but not limited to test results or vulnerability reports, may forfeit your eligibility for safe harbor protections and any potential recognition.

  5. Changes to Policy

    • We reserve the right to modify or deviate from this policy for any reasons and at any time that we deem appropriate.