Vulnerability Disclosure Policy

introduction maro values the security of our systems and the data of our users if you believe you have discovered a vulnerability, privacy issue, exposed data, or other security concern in any of our assets, we want to hear from you this policy outlines how to report such issues to us, what we expect, and what you can expect from us systems in scope this policy applies to any digital assets owned, operated, or maintained by maro out of scope assets or equipment not owned or maintained by maro vulnerabilities discovered or suspected in out of scope systems should be reported to the appropriate vendor or applicable authority our commitments when you report a vulnerability to us in accordance with this policy, you can expect us to respond to your report promptly, and work with you to understand and validate your report; strive to keep you informed about the progress of a vulnerability as it is processed; work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and extend safe harbor for vulnerability reporting that is related to this policy our expectations when reporting a vulnerability to us, we ask that you follow this policy and any other relevant agreements if there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail; report any vulnerability you've discovered promptly; do not actively scan, probe, or test our systems for vulnerabilities this policy covers the reporting of vulnerabilities discovered during normal use of our services, not active security testing or penetration testing; avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience; use only the official channels to discuss vulnerability information with us; provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly; if a vulnerability provides unintended access to data do not access or modify any data beyond what is necessary to confirm the issue exists, and cease activity and submit a report immediately if you encounter any user data such as personally identifiable information (pii), personal healthcare information (phi), credit card data, or proprietary information; do not interact with accounts you do not own or do not have explicit permission to use; and do not engage in extortion official channels please report security issues via security\@seekmaro com mailto\ security\@seekmaro com , providing all relevant information the more details you provide, the easier it will be for us to triage and fix the issue safe harbor we consider good faith reporting of vulnerabilities under this policy to be authorized and beneficial activity we will not initiate or support legal action against you for reporting a vulnerability in accordance with this policy this safe harbor applies provided that your activity was limited to reporting the vulnerability and did not involve active exploitation, unauthorized access to data, or disruption to our services; you complied with all other terms of this policy; and your actions were conducted in good faith you are expected, as always, to comply with all applicable laws if legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy if at any time you are uncertain whether an issue you have encountered falls under this policy, please contact us through our official channels before taking any further action note that the safe harbor applies only to legal claims under the control of maro, and this policy does not bind independent third parties