wegalvanize.com

Brand Promise

Galvanize is committed to providing a robust and secure service that protects our customers' data. We provide our service to customers and we also use it ourselves—storing our corporate data in our products. We do so knowing that our platform is built upon industry-leading security technology, refined principles and practices, and ongoing investments in security training, testing, independent audits, expert consulting, and advanced tooling.

Toward this end, Galvanize is now formalizing our policy for accepting vulnerability reports for our products. We hope to foster an open partnership with the security community, and we recognize that the work this community does is important in continuing to ensure safety and security for all of our customers.

We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

Program and Scope

Scope

Galvanize’s Vulnerability Disclosure Program initially covers the following products:

While Galvanize develops other products, we ask that all security researchers submit vulnerability reports only for the stated product list. We may increase our scope in the future as other products are developed or updated.

We Will Not Take Legal Action If…

Legal Posture

Galvanize will not engage in legal action against individuals who submit vulnerability reports through our Support Team. We will accept reports for the currently listed Galvanize products. We agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming Galvanize or its customers.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program.
  • Test on products without affecting customers.
  • Adhere to the laws of their location and the location of Galvanize.
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Terms and Conditions

By submitting information about security threats and/or solution proposals (hereinafter together referred as "Feedback") to Galvanize:

  • You commit yourself to the principle expressed in this guideline to avoid any harm to Galvanize users and you therefore agree not to publicize information about threats and vulnerabilities of the Galvanize software or platform before a fix and/or patch has been made available by Galvanize
  • You agree that Galvanize may use such Feedback to update and/or improve its software; and you grant to Galvanize a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to Galvanize's licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Feedback in any manner Galvanize chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of Galvanize's and its sub licensee’s products or services embodying Feedback in any manner and via any media Galvanize chooses, without reference to the source. Galvanize shall be entitled to use Feedback for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives

Communication Mechanisms and Process

How to Submit a Vulnerability

To submit a vulnerability report to Galvanize’s Support Team, please send an email to support@wegalvanize.com.

Nonbinding Submission Preferences and Prioritizations

Preference, Prioritization, and Acceptance Criteria

We will use the following criteria to prioritize and triage submissions.


What we would like to see from you:

  • Well-written reports in English
  • Reports that include proof-of-concept code
  • Reports that include more than automated tool output
  • Reports that include how you found the bug, the potential impact, and any potential remediation

What you can expect from us:

  • A timely response to your email.
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability has been remediated.

Versioning

This document Version 1.1 was created June 2020. [We update or renew this policy at least annually.]