Vulnerability Disclosure Policy

Last Updated on August 28th, 2025

Introduction

This policy explains how to report security vulnerabilities in Conduct products and infrastructure. It applies to any Conduct asset that publishes a security.txt file referencing this policy and to the assets listed in Scope below. Please read this policy before you report a vulnerability. We value good-faith research and coordinated disclosure. Conduct does not offer monetary rewards for reports.

Reporting

Send reports to legal@useconduct.com. Include:

  • The asset and exact location where the issue is observable

  • A short description of the vulnerability type

  • Step-by-step reproduction with a benign proof of concept

  • Impact assessment if known and any preconditions

  • Your contact details and preferred disclosure timeline

Please encrypt sensitive details if possible. A PGP key is available on request.

What to expect

  • We acknowledge your report within 5 business days

  • We aim to triage within 15 buinesss day

  • We will keep you updated at least every 14 days until resolution

  • Remediation priority is based on impact, severity, and exploit complexity

  • We will notify you when a fix is deployed and may ask you to validate

After resolution, we welcome coordinated public disclosure. Please work with us on timing and wording so guidance to customers is consistent and accurate.

Testing guidelines

Help us protect customer data and service availability. When researching you must:

  • Use your own test data and accounts only

  • Limit the number of requests needed to prove impact

  • Stop immediately if you encounter customer data, PHI, or PII and report the finding

  • Securely delete any data retrieved during testing when no longer required and within 30 days of resolution

You must not:

  • Break any law or breach agreements

  • Access, modify, or exfiltrate customer content or policy data

  • Attempt denial of service or resource exhaustion

  • Run high-intensity or destructive scanners

  • Social engineer, phish, or physically attack Conduct staff or facilities

  • Use findings to pivot into customer environments

  • Demand payment

Findings that are generally out of scope:

  • Best-practice gaps without an exploitable security impact

  • TLS configuration preferences such as cipher choices that do not create a practical risk

  • Missing security headers without demonstrated impact

  • Clickjacking on pages with no sensitive actions

  • Rate limiting concerns without a clear abuse path

Legal

This policy does not grant rights to act against applicable laws or contracts. Your testing must respect all legal and regulatory requirements. By submitting a report you agree that Conduct may use the information to remediate the vulnerability and to contact you about your report.