Responsible Disclosure Policy

  • Approved on: 9 July 2020
  • Next Scheduled Review: 2021

Description

This Policy outlines the Lean’s expectations set forth on the users of its websites, dashboards and portals.

1. Introduction

This Responsible Disclosure Policy (the "Policy") is published by Lean Technologies, Inc., its affiliates and subsidiaries (collectively "Lean") and outlines the steps to be followed by persons visiting, exploring and/or using any of Lean’s websites (including mobile applications), dashboards and portals (collectively "Lean Systems") upon encountering a security vulnerability or weakness. Data security is a top priority for Lean, and Lean believes in the importance of continuously enhancing the Lean Systems by working with skilled security researchers who can help identify and address any vulnerabilities in the Lean Systems. If you encounter a security vulnerability in a Lean System, kindly notify Lean in accordance with the below procedure and Lean will work with you to resolve the issue promptly.

2. Procedure

If you believe you have identified a potential vulnerability in a Lean System, kindly follow the below steps which may qualify you for a reward (conditions and restrictions apply).

  1. inform Lean promptly by emailing security@leantech.me
  2. notwithstanding requirements under applicable laws, allow Lean a reasonable amount of time before disclosing any vulnerability or security issue to the public or a third party, in any case not less than three months.
  3. make every effort to avoid violating privacy, destroying data, interrupting or degrading Lean Systems, This can be achieved by, among other things, restricting interactions to the domains you own or for which you have explicit permission from the account holder.
  4. provide sufficient details of the vulnerability in accordance with Section 3 of this Policy
  5. refrain from the following:
  • modifying or accessing data that does not belong to you;
  • Distributed Denial of Service (DDoS);
  • spamming;
  • social engineering or phishing of Lean and its employees or contractors;
  • any non-technical vulnerability testing;
  • conducting any attacks against Lean’s physical property or data-centers; and/or
  • submitting a high volume of low-quality reports.
  1. ensure to follow the relevant policies available on Lean Systems including, without limitation, the Acceptable Use Policy Guidelines.

3. Your Role

In order to help Lean triage and prioritize submissions, it is recommended that your reports:

  1. describe the vulnerability, where it was discovered, and the potential impact of exploitation;
  2. offer a detailed description of the steps needed to reproduce or validate the vulnerability (proof of concept scripts or screenshots are helpful); and
  3. be in English, if possible.

4. Lean’s Role

When you share your contact information with Lean, Lean is committed to coordinating with you as openly and as quickly as possible as follows:

  1. within 3 business days, Lean will acknowledge that your report has been received.
  2. to the best of its ability, Lean will confirm the existence of the vulnerability to you and be as transparent as possible about what steps Lean is taking during the remediation process, including on issues or challenges that may delay resolution.
  3. Lean will maintain an open dialogue to discuss issues.

5. Contact Us

For any questions, comments or concerns please contact us at security@leantech.me.