Introduction

Scarlet Shark has established a Vulnerability Disclosure Program to provide security researchers with clear guidelines for identifying vulnerabilities in Scarlet Shark systems and websites. This program also communicates Scarlet Shark's preferences for submitting any discovered vulnerabilities.

The Vulnerability Disclosure Policy outlines the systems and types of research included in this program, explains the process for submitting vulnerability reports, and details the requirements for public disclosure of submitted vulnerabilities.

Authorization

Security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in this Vulnerability Disclosure Program.

Efforts made in good faith to comply with this policy during all security research will be considered authorized. Scarlet Shark will work closely with the researcher to understand and promptly resolve any issues and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against the security researcher for research conducted in accordance with this policy, the Scarlet Shark will reaffirm this authorization.

Applicability and Scope

This policy is for security researchers interested in reporting system security vulnerabilities and is intended for authorized Scarlet Shark publicly available systems/services only. This policy applies to anyone wishing to conduct vulnerability discovery activities, including research and testing conducted on the DOC's publicly available systems/services within the Scarlet Shark domains. Specifically, this policy applies to the following Scarlet Shark websites, information systems, and digital services intended for public use or made internet-accessible:

• scarletshark.com
• scarletshark.email
• scarletshark.net
• api.scarletshark.com
• cdn.scarletshark.com

Out-of-Scope Systems and Services:

Information systems, websites, or services owned and operated by vendors or other entities; vulnerabilities found in information systems from our vendors and other entities fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any).

Non-public facing or non-internet-accessible websites, information systems, and digital services.

The following websites, information systems, and services are excluded from the testing provisions and legal protections afforded to Reporters within this policy. Suppose Reporters are uncertain of whether a website, information system, or digital service is in-scope of this policy. In that case, it is recommended that they reach out to the DOC Vulnerability Disclosure Program at support [AT] scarletshark.com.

Guidelines

Under this policy, "research" means activities in which you:

• Notify the Scarlet Shark as soon as possible after the discovery of any real or potential security issue(s).
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Do not submit a high volume of low-quality reports.
• Upon the discovery of a vulnerability or sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party):
• All tests must be stopped.
• Notify Scarlet Shark immediately via email at support [AT] scarletshark.com.
• Do not disclose this data to anyone.

Vulnerability Reports

• To report identified vulnerabilities, security researchers should:
• Submit vulnerability reports via email to support [AT] scarletshark.com
• Describe the location where the vulnerability was discovered and any known potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots).
• Submit vulnerability reports, anonymously, if desired. If a security researcher provides Scarlet Shark with an email address, Scarlet Shark will acknowledge, via email receipt of submitted reports within three (3) business days.
• Keep confidential any information about discovered vulnerabilities for up to (90) calendar days after being notified by the Scarlet Shark.

Coordinated Disclosure

Scarlet Shark is committed to patching vulnerabilities within (90) days or less and disclosing the details of those vulnerabilities when patches are published. We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to improve software is to enable everyone to learn from each other's mistakes.

At the same time, disclosure in the absence of a readily available patch tends to increase risk rather than reduce it. Therefore, we ask that security researchers refrain from sharing reports with others or releasing reports to the public while patching is ongoing. If there is a need to inform others of the submitted report before the patch is available, please coordinate with Scarlet Shark via email at support [AT] scarletshark.com before release for assessment.

Use of Vulnerability Reports

Information submitted under this policy shall be used by the Scarlet Shark for defensive cybersecurity purposes (i.e. to mitigate or remediate vulnerabilities). If an issue has been reported and determined to be both within the program scope and a valid security issue, Scarlet Shark will validate the finding(s), and the security researcher can disclose the vulnerability after a resolution has been issued. The details within the Vulnerability Intake form may be submitted to an independent third-party vendor for evaluation and handling.

Unauthorized Testing Methods

The following test methods are not authorized by the Scarlet Shark:

• Test any systems other than the systems set forth in the 'Scope' of this policy.
• Physical testing of facilities or resources (e.g., office access, open doors, tailgating).
• Social engineering (e.g., phishing, vishing, spam, and other suspicious emails), and any other non-technical vulnerability testing.
• Network denial of service (DoS or Distributed DoS) or tests that impair access to or damage availability to a system or data.
• Tests that exhaust bandwidth or are resource-intensive.
• Unidentified malware, viruses, Trojan horses, or worms.
• Rainbow tables, password cracking, or brute force testing.
• Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Scarlet Shark systems, or "pivot" to other Scarlet Shark systems.
• Test third-party applications, websites, or services that integrate with or link to or from Scarlet Shark systems.
• Delete, alter, share, retain, or destroy Scarlet Shark data, or render Scarlet Shark data inaccessible.

Questions

Questions or suggestions regarding this policy may be sent to support [AT] scarletshark.com