Clear Ballot Group, Inc.
Vulnerability Disclosure Policy

INTRODUCTION

Clear Ballot Group, Inc. prioritizes the security of our systems and welcomes feedback from security researchers. If you believe you have discovered a vulnerability in any part of our ecosystem, we encourage you to follow the process below. This policy outlines steps for disclosing vulnerabilities to us, what you can expect from us, and what we expect from you.

SCOPE

This Vulnerability Disclosure Policy applies to all digital assets owned and operated by Clear Ballot Group, Inc., including corporate IT networks and public facing websites. This policy does not give authorization to test state and local government election-related networks or assets. Researchers who wish to assess those networks or assets should follow guidance from those entities for security research opportunities and conditions. We will accept reports and research under this policy for Clear Ballot Group, Inc. products not owned or operated by Clear Ballot Group, Inc.

GUIDELINES

To participate in our Vulnerability Disclosure Program, we require that you:

  • Follow this policy, as well as any other relevant agreements with Clear Ballot Group, Inc.
  • Promptly report any vulnerability you discover to Clear Ballot Group, Inc.
  • Do not violate the privacy of others, disrupt any systems, or destroy any data.
  • Use only the methods listed below to discuss vulnerability information with our team.
  • Keep the details of any discovered vulnerabilities confidential until they are remedied.
  • If a vulnerability provides unintended access to data, do not access data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability. If you encounter any Personally Identifiable Information, you must cease testing and submit a report immediately.

REPORTING

To submit a vulnerability report, please email security@clearballot.com with all relevant information. In order to best assist our team with remedying any vulnerabilities, we ask that you provide sufficient details.

OUR COMMITMENT

In accordance with this policy, researchers working with Clear Ballot Group, Inc. can expect us to:

  • Acknowledge submitted reports within 5 business days
  • Work in good faith to understand the details around the discovery of the vulnerability
  • Strive to keep you informed about the progress of remediating any discovered vulnerability as it is processed
  • Work to remediate discovered vulnerabilities in an efficient and timely manner, within 90 days if possible
  • Extend Safe Harbor for your vulnerability research that is related to this policy

SAFE HARBOR

When conducting research according to the Vulnerability Disclosure Policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

 

You are expected, as always, to comply with all applicable local, state, and federal laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at security@clearballot.com before going any further.