Top Producer looks forward to working with the security community in an effort to keep our businesses and customers safe. If you are a security researcher and have identified a suspected security vulnerability in one of our properties, we appreciate your help in disclosing it to us in a coordinated and responsible manner. If you report a valid security vulnerability in compliance with this Responsible Disclosure Policy (“Policy”), Top Producer will endeavor to collaborate with you to understand, validate and resolve the issue.
The intent of this program is to encourage coordinated and responsible disclosure. Unless required by law or law enforcement authorities, Top Producer does not intend to initiate a lawsuit or law enforcement investigation against a security researcher who discovers and reports a security vulnerability in compliance with this Policy. Top Producer reserves all legal rights in the event of any noncompliance. If your security research involves the networks, systems, information, applications, products, or services of another party, including a third-party application that is integrated with Top Producer property, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving other entities.
Your participation in this program is voluntary and subject to the terms and conditions set forth in this Policy. By submitting reports or otherwise participating in this program, you agree that you have read and will follow this Policy.
Top Producer reserves the right to change or modify the terms of this program or terminate this program at any time. Please submit your findings to email@example.com.
This policy applies to the Top Producer family of websites, and mobile apps, and mobile-optimized websites.
The following domains (and their subdomains) are considered Top Producer family of websites: https://www.topproducer.com
Any domains not expressly listed above, are excluded from scope and are not authorized for testing.
As with most security disclosure programs, there are some restrictions:
Disclosure procedure and confidentiality:
- Vulnerabilities must be disclosed to us privately with a reasonable time to respond. We will seek to respond quickly to your report. You are not permitted to disclose a vulnerability or otherwise share details about a vulnerability with a third party prior to resolution without Top Producer’s express written permission.
- You must include detailed information with reproducible steps. We request that researchers provide sufficient technical details and background necessary for us to identify and validate reported issues.
- We will not publicly disclose the identity of any researcher without consent, except where required by law.
- As a condition of participation in this program, you waive any rights to the confidentiality of the submitted work and, further, grant Top Producer an irrevocable, worldwide, royalty-free, perpetual transferable, sub-licensable license to use the submitted research, as well as any materials submitted therewith, for any purpose, and waive claims against Top Producer based on Top Producer’s license or the rights granted herein.
Security testing requirements:
- You must abide by the program scope.
- You must comply with all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.
- You must securely delete Top Producer information that may have been downloaded, cached, or otherwise stored on systems used to perform the research.
- You may only use or interact with your own accounts for testing purposes. Do not attempt to compromise or otherwise gain access to an account you do not own.
- Do not exploit a vulnerability you discovered for malicious purposes.
- You are prohibited from engaging in any activity that would be disruptive, damaging or harmful to Top Producer, its businesses or its customers. This includes, without limitation:
- social engineering techniques (e.g., phishing);
- posting, transmitting, uploading, linking to, sending, or storing any malicious software
- testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, or other forms of duplicative or unsolicited messages
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)-based attacks.
- You are prohibited from engaging in any privacy violations, trading stolen user credentials, or destroying data.
- You may not access data except to the extent minimally necessary to identify a vulnerability, and use of such data must be limited to that which is necessary to identify and report the vulnerability. You are prohibited from compromising data that is not your own.
- You are prohibited from engaging in any activity that results in you or any third party accessing, acquiring, altering, copying, storing, sharing, transferring, deleting or otherwise processing customer or employee personal information, or Top Producer confidential information. If you inadvertently engage in any such activity, please stop testing and contact us immediately at firstname.lastname@example.org. All copies of such information must be securely returned to Top Producer or purged upon submitting the vulnerability to Top Producer.
Please submit a report to us or request additional testing permission before causing damage or engaging in conduct that may be inconsistent with this Policy. If you inadvertently cause a violation of this program Policy, please report the incident immediately to email@example.com.
Please note our disclosure program does not provide any monetary or non-monetary reward.