Redfish Labs, Inc. dba Torch Leadership Labs
Redfish Labs, Inc. dba Everwise
Vulnerability Disclosure Program
Last Updated on May 13, 2024
Purpose
Torch recognizes the value external security researchers may bring to the security of Torch systems and is committed to safeguarding the data within those systems. This Vulnerability Disclosure Program (VDP) provides guidelines for security researchers to conduct vulnerability discovery activities in good faith. If you believe you have found a security vulnerability, we encourage you to reach out to security@torch.io. Torch will investigate all legitimate reports and will respond quickly to remediate identified issues. However, before reporting, please review this VPD for the scope of the program and authorized activities.
Authorized Activities
If a security researcher complies with this policy, Torch will consider all vulnerability discovery activities as authorized and performed in good faith.
Once a researcher establishes that a vulnerability exists, or encounters any sensitive data (including personally identifiable information) they must stop testing and notify Torch immediately through our vulnerability disclosure process.
-
Disclose any real or potential vulnerability within 72 hours of discovery.
-
Make every reasonable effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
-
Only conduct testing activities to the extent necessary to confirm a vulnerability’s presence.
-
Do not use any exploit to compromise or exfiltrate data; open, take, or delete files; establish command-line access and/or persistence; or pivot to other systems.
-
Do not escalate privileges or attempt to move laterally within the network.
-
Do not disrupt access to Torch services or introduce any malware in the course of testing.
-
-
Do not publicly disclose reported vulnerabilities.
-
Do not submit a high volume of low-quality reports.
Unauthorized Activities
-
Testing by security researchers must be conducted to the minimal amount necessary to prove that a vulnerability exists. Once a vulnerability is established to exist, testing must stop and notification to Torch through our vulnerability disclosure process is necessary.
-
Large-scale vulnerability scanners, scrapers, or automated tools that produce excessive amounts of traffic.
-
Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running a scan against one host is allowed, but sending 50,000 requests in two minutes using an automated tool is considered excessive.
-
-
Do not attempt to:
-
Perform any denial-of-service or distributed-denial-of-service attempts.
-
Social engineering of any kind; spam, spear phishing, etc.
-
Establish command-line access and/or persistence.
-
Pivot to other systems or move laterally within the network.
-
Escalate privileges.
-
Disrupt access to Torch production services or users.
-
Introduce any malware in the course of testing.
-
Intentionally accessing the content of any communications, data, or information in transit or stored on any Torch information system.
-
Exfiltrate, copy, open, download, or delete files on any Torch system.
-
Reporting Guidelines
By submitting a report or communicating with Torch, we will assume that the submitter read, understands, and agrees to the guidelines prescribed in this policy.
Torch will accept all vulnerability disclosures sent to security@torch.io.
Security researchers must provide a detailed summary of the vulnerability, including the following:
-
description of the vulnerability and its potential impact
-
product, version, and configuration of any software or hardware potentially impacted
-
step-by-step instructions to reproduce the issue
-
proof-of-concept
-
suggested mitigation or remediation actions
Torch’s Promise
Torch will appropriately investigate all vulnerability disclosures to validate the vulnerability, prioritize the risk, and ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
Torch is committed to coordinating with the security research community as openly and quickly as possible. This includes:
-
Acknowledging vulnerability report within three (3) business days.
-
Confirming the existence of the vulnerability to the researcher to the best of our ability and informing the researcher of any issues or challenges that may delay resolution.
-
Maintaining an open dialogue with individual researchers to discuss reported issues.
-
If researchers conduct vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, Torch will not initiate or recommend any law enforcement or civil actions related to such activities and will consider all vulnerability discovery activities were performed in good faith.
Questions?
Contact security@torch.io