Object First Vulnerability Disclosure Policy

Object First is committed to helping our partners and customers minimize the risk associated with any security vulnerabilities. As a cosigner of CISA’s Secure by Design pledge, we are dedicated to maintaining industry best practices in security and vulnerability handling and providing customers with timely information, guidance, and mitigation options to address vulnerabilities.

Handling Vulnerability Reports

We welcome reports and disclosures from industry partners and security researchers. Our goal is to have remedies or mitigation strategies available at the time of disclosure, in collaboration with third-party vendors when needed.

If you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our products, we want to hear from you.

Under this disclosure policy, all information disclosed about new vulnerabilities is considered confidential and will only be shared between Object First and the reporting party if the information is not already public knowledge, until Object First’s security team confirms that remediation is available and explicitly authorizes coordinated disclosure.

Systems in Scope

This policy applies to any products manufactured, sold, owned, operated, or maintained by Object First.

Out of Scope

Products or other equipment not owned by the parties participating in this policy.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Our Commitments

When working with us you can expect us to:

• Play by the rules, including following this policy and other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
• Report any vulnerability you’ve discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
• Use only official channels to discuss vulnerability information with [email protected].
• Provide us a reasonable amount of time (minimum 90 days from the initial report) to resolve the issue before you disclose it publicly.
• Perform testing only on in-scope systems and respect systems and activities that are out-of-scope.
• If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept. Also, cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or any other proprietary information.
• You should only interact with test accounts you own or with explicit permission from the account holder.
• Do not disclose vulnerability details until agreed upon with Object First’s security team.
• Do not store any data discovered during the testing process.
• Do not engage in extortion.

Report a security vulnerability

If you believe you’ve identified a security vulnerability in an Object First product or service, we encourage you to report it so we can investigate and address the issue quickly.

How to Report

Email [email protected] with a clear description of what you found, including any details that will help us triage efficiently. If you’re unsure whether your testing aligns with this policy, reach out to the same address.

What to Include

• A summary of the issue and potential impact

• Detailed steps to reproduce the vulnerability
• Product name, version, and environment details
• Any proof‑of‑concept material
• Your preferred contact information

Please avoid downloading, storing, or sharing any sensitive information. Stop testing immediately and include your observations in your report.

What to Expect

Our security team will acknowledge your report, review the issue, and follow up with the next steps. We’ll keep you informed as we work toward a resolution.

Safe Harbor

Object First supports good‑faith security research. “Safe Harbor” means that if you follow this policy and conduct testing responsibly, we will treat your research as authorized and will not pursue legal action for accidental violations that occur during your investigation.

When you conduct vulnerability research under this policy, we consider this research to be:

• Authorized under applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy
• Authorized under relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technical controls
• Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis
• Lawful, helpful to overall security, and conducted in good faith.

You are expected to comply with all applicable laws in your research, testing, and reporting. If a third-party initiates legal action against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Third Party Involvement

You are expected to comply with all applicable laws in your research, testing, and reporting. If a third party initiates legal action against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy and that the policy does not bind independent third parties.

Machine Translation Disclaimer

Please be aware that Object First uses machine translation on our website. For full details, read the disclaimer.