Skip to content

Vulnerability Disclosure Policy

Last Updated:  October 27, 2023

Mark43: Vulnerability Disclosure Program Policy

Thank you for taking interest in the security of Mark43. We value the security of our customers, their data, and our services. In an effort to protect our digital ecosystem, we’ve created this page to allow security researchers from around the world to report any potential security vulnerability issues they may have found.  When you submit your findings regarding potential vulnerabilities with the Mark43 digital ecosystem, you and Mark43 agree as follows:

Mark43 agrees to:

  • Maintain trust and confidentiality in our exchanges with researchers who report to the program.
  • Treat everyone who contributes with respect - we appreciate your contribution to keeping us and our customers safe and secure.
  • Work with you to validate and remediate reported vulnerabilities.
  • Investigate and remediate issues in a manner consistent with protecting the safety and security of both on-prem and cloud customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

You agree to:

  • Not disclose any content or information contained within your submission, or otherwise relating to any potential vulnerabilities with the Mark43 digital ecosystem, to any party other than Mark43. As we promise to maintain trust and confidentiality with you, we ask that you do the same with us.
  • Provide as much information in your submission as possible regarding your findings. It is vital to provide clear reproduction steps regarding your findings so that we may validate the report in a timely manner.
  • Adhere to the out of scope section below.
  • Add your email address to the submission, so we can get in touch with you about any technical details as needed.

Out of scope:

  • Testing the physical security of our offices, employees, equipment, etc.
  • Conducting non-technical attacks such as social engineering or phishing attacks.
  • DoS/DDoS or any other testing that would impact the operation of our systems.
  • Accessing, downloading, modifying, or using data residing in an account that does not belong to you.
  • Testing that would result in sending spam or other unsolicited messages.
  • Testing third party applications or services.
  • Defacing any of our assets.

Below you will find the form where you can submit your findings. Please remember to include as much information as possible in a clear manner regarding your findings to help facilitate validation, and to provide your email address to ensure you can claim your submission and continue communication as needed.