Vulnerability Disclosure Policy
Objective
The objective of this Vulnerability Disclosure Policy (VDP) is to establish a clear, transparent, and secure process for the reporting and resolution of security vulnerabilities discovered in Infinite’s systems, applications, and infrastructure.
Scope
This VDP applies to security vulnerabilities discovered in the digital assets owned, operated, or maintained by Infinite, including but not limited to:
- Public-facing websites and web applications
- Official mobile apps available on app stores, such as iOS and Android versions of Infinite
- Publicly accessible APIs and backend systems related to our products and services
- Any other digital platforms, portals, or services officially maintained by Infinite
Definition
Security researchers are individuals or organizations who investigate systems, software, or networks to identify potential security vulnerabilities. They do this not to exploit weaknesses, but to responsibly report them so developers can fix the issues before malicious actors discover them.
They may include:
- Independent researchers working on their own
- Bug bounty hunters participating in public or private programs
- Academic researchers conducting formal studies
- Penetration testers who responsibly report out-of-scope findings
- Developers or users who incidentally discover a flaw
- Security consultants or firms engaged in ethical discovery
Security researchers must not:
- Test any system other than the systems outlined in the 'Scope' section above.
- Disclose vulnerability information except as outlined in the 'Reporting Vulnerabilities' section.
- Engage in physical testing of facilities or resources.
- Engage in social engineering.
- Send unsolicited electronic mail to Infinite users, including "phishing" messages.
- Disclose any PII found to any third party.
- Execute or attempt to execute "Denial of Service (DOS)", Distributed Denial of Service (DDoS), or "Resource Exhaustion" attacks.
- Introduce malicious software.
- Test in a manner that could degrade the operation of Infinite systems.
- Intentionally impair, disrupt, or disable any Infinite systems.
- Test third-party internet-accessible systems or services that integrate with or link to or from Infinite systems.
- Delete, alter, share, retain, or destroy Infinite data, or render the Infinite data inaccessible.
- Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on the Infinite systems, or "pivot" to other Infinite systems.
Security researchers should:
- Terminate testing and notify Infinite immediately upon discovery of a vulnerability.
- Terminate testing and notify Infinite immediately upon discovery of an exposure of non-public data.
Reporting Vulnerabilities to Infinite
Security researchers can report vulnerabilities related to Infinite at Vulnerability-Disclosure@infinite.com.
Submission(s) must include:
- A description of the vulnerability found by the security researcher.
- The date the vulnerability was discovered.
- Identifying the vulnerability's location and potential impact.
- Technical information needed to reproduce the vulnerability (Scripts or exploit code should be embedded into non-executable file types).
- Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including any tools needed to identify or exploit it.
- Images, e.g., screen captures, and other documents may be attached to reports. It is helpful to give attachments illustrative names.
- Reports may include proof-of-concept code or screenshots that demonstrate exploitation of the vulnerability.
Security researchers may submit reports anonymously, or they may provide contact information, and any preferred methods or times of day to communicate, as they see fit.
Resolution
When a vulnerability is reported in good faith and in line with this policy:
- Receipt: Infinite shall acknowledge receipt of the report within 5 business days.
- Triage: Infinite security team shall review and assess the issue, typically within 15 business days.
- Remediation: If the issue is valid and in scope, we will prioritize and resolve it based on severity.
- Collaboration: Infinite may contact the security researcher for clarification, reproduction steps, or to verify the fix.
- Recognition & Disclosure: By obtaining the consent of the security researcher, Infinite may publicly acknowledge the contribution once the issue is resolved.
If a security researcher believes others should be informed of the vulnerability before the corrective actions are implemented, Infinite requires them to coordinate in advance.
Rewards
Infinite may offer reward or recognition for vulnerability reports that have a significant business impact on its customers, products, or services.
Eligibility for recognition is determined by calculating the internal severity of a finding against the potential impact to Infinite and its customers. Infinite reserves the right, in sole and absolute discretion, to determine vulnerability qualification for a reward or recognition.
VDP Program
This policy enables Infinite to operate a vulnerability disclosure program that encourages security researchers to report vulnerabilities responsibly, thereby supporting Infinite in effectively resolving the identified issues.