Vulnerability Disclosure Policy

Agent Legend, Inc is committed to ensuring the safety and security of our customers. Toward this end, Agent Legend now formalizing our policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community, and recognize that the work the community does is important in continuing to ensure safety and security for all of our customers.

We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

Legal Posture

Agent Legend, Inc will not engage in legal action against individuals that submit vulnerability reports through our Vulnerability Reporting Form. We openly accept reports for the currently listed Agent Legend products.

We agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming Agent Legend or its customers.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program.
  • Adhere to the laws of their location and the location of Agent Legend, Inc. For example, violating
    laws that would only result in a claim by Agent Legend. (and not a criminal claim) may be
    acceptable as Agent Legend is authorizing the activity (reverse engineering or circumventing
    protective measures) to improve its system.
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon
    timeframe expires.

How to Submit a Vulnerability

To submit a vulnerability report to Agent Legend’s Product Security Team, email security@agentlegend.com.

Report Acceptance Criteria

We will use the following criteria to decide whether or not to accept the report. Report
declines mean that the report was not of sufficient quality or was out of scope.

What we would like to see from you:

  • Well written reports in English will have a higher chance of being accepted.
  • Reports that include proof of concept code will be more likely to be accepted.
  • Reports that include only crash dumps or other automated tool output will most likely
    not be accepted.
  • Reports that include products not on the covered list will most likely be ignored.
  • Include how you found the bug, the impact, and any potential remediation.
  • Consideration for vulnerabilities that may have safety impact.
  • Any plans for public disclosure.

What you can expect from us:

  • A timely response to your email (within 2 business days).
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • An expected timeline for patches and fixes (usually within 120 days).
  • Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, Agent Legend may bring in a
neutral third party (such as CERT/CC or ICS-CERT) to handle the vulnerability or may encourage
you to disclose the vulnerability publicly.