Boatzon’s Responsible Disclosure Policy

Responsible Disclosure

Boatzon’s code of ethics, foundation of trust, and its constant efforts to ensure that we are always acting prudently as a company is built upon the confidence that our customers place in us. As a result of these core values, the security of our online platforms - and the data housed within these platforms - is of paramount importance. If you are a security researcher and believe that you have discovered a security vulnerability involving Boatzon services or sites, we encourage you to securely disclose it to us in a responsible manner, as directed by this Responsible Disclosure Policy (the “Policy”). Boatzon will engage with security researchers when vulnerabilities are reported to us in accordance with this Policy. We will also validate and fix confirmed vulnerabilities affecting our services or sites in accordance with our commitment to security and privacy. We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Policy. Boatzon reserves all legal rights in the event of any non-compliance with this Policy.

Reporting

We encourage security researchers to share the details of any suspected vulnerabilities with the Boatzon Information Security Team by emailing Security@Boatzon.com. Boatzon will review each submission to determine if the finding: (a) is valid and (b) has not previously been reported. Boatzon and this Policy require security researchers to include detailed information with steps for Boatzon’s Information Security Team to reproduce the vulnerability in the submission in order for a security researcher to be considered for monetary compensation.

Boatzon’s Commitment

If you identify a novel and valid suspected security vulnerability in compliance with this Policy, Boatzon commits to:

• Work with the security researcher(s) to understand and validate the suspected vulnerability; and
• Address any valid vulnerability or risk (as deemed necessary and/or appropriate by Boatzon).

Noncompliance With this Policy

Public disclosure - by a security researcher or otherwise - of the details of any identified suspected vulnerability without express written consent from Boatzon’s InfoSec Team will deem any Form submission under this Policy as noncompliant with this Policy.
The Form is not intended to be used by, and this Policy is not directed to:

• Employees of Boatzon;
• Boatzon’s subsidiaries, affiliates, or partners;
• Vendors currently working with or for Boatzon or Boatzon’s subsidiaries, affiliates, or partners; or
• Residents of countries on the United States Office of Foreign Assets Control’s (OFAC) Sanctions List.

In addition, to remain compliant with this Policy, security researcher(s) are prohibited from:

• Accessing, downloading, or modifying data residing in an account that does not belong to the security researcher(s);
• Executing or attempting to execute any “Denial of Service” or related attack against any Boatzon system or service;
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software on or to any Boatzon system or service;
• Testing any suspected vulnerability in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or any other form of unsolicited message;
• Testing any suspected vulnerability in a manner that would degrade or negatively impact the operation of any Boatzon service or system; and/or
• Testing third-party applications, websites, or services that integrate with or link to any Boatzon service or system.