Vulnerability Disclosure Policy

Introduction

Kiteworks is dedicated to empowering organizations to effectively manage risk in every send, share, receive, and save of sensitive data. Kiteworks-enabled Private Data Networks unify, track, control, and secure sensitive data moving within, into, and out of organizations, significantly improving risk management and ensuring regulatory compliance on all sensitive communications.We take security in our products and services very seriously because of the nature of the data that we help our clients protect. Our products are developed in strict secure processes and undergo rigorous testing, but vulnerabilities can still make it through. For this reason, we maintain a public bug bounty program, and we encourage all researcher to participate in it and be rewarded for their findings. 

Scope

This policy applies to any digital assets owned, operated, or controlled by Kiteworks, including but not limited to:

  • Websites
  • Applications
  • APIs
  • Networks

Reporting a vulnerability

If you believe you have discovered a vulnerability, we ask that you report it to us as soon as possible. In this case, please provide us with all relevant information using the  form on this page.

Supplying your contact information with your report is entirely voluntary and at your discretion. Kiteworks will make use of all reports that are submitted; both those submitted anonymously and those with contact information. If you submit your contact information, Kiteworks will only use such information to get in touch with you in case clarification of the submitted report is required. In addition, please let us know if (and how) you would like to be publicly credited in the event that we confirm and resolve the reported issue.

Terms

By submitting a report to Kiteworks, by using this form or otherwise, regarding vulnerabilities and errors, you agree to the following terms:

Kiteworks may use your report for any purpose it deems relevant, including, without limitation, for the purpose of correcting reported vulnerabilities and errors that Kiteworks deems to exist and require correction. To the extent that you suggest changes and/or improvements to a Kiteworks product or service in your report, you assign to Kiteworks all rights of use and ownership of such suggestions.

Our commitment / Safe harbor

We are grateful for the support in ensuring the security of our customers. If you'd like to be publicly credited in case we confirm and resolve the reported issue, please let us know when submitting the vulnerability.

To encourage responsible reporting, we pledge not to initiate legal action against researchers who

  • Engage in testing that complies with this policy.
  • Report vulnerabilities to us promptly and confidentially.
  • Avoid exploiting the vulnerability beyond what is necessary to confirm its existence.
  • Do not cause harm to Kiteworks, our customers, or our employees.

Your Commitment

By submitting a report to Kiteworks, you agree to the following guidelines:

  • Do not engage in or execute any attacks that could damage the availability, integrity or confidentiality of our service or the information stored in our products.
  • Do not engage in social engineering against our employees, customers, or infrastructure.
  • Do not engage in intimidation or extortion.
  • All information that you obtain or generate out about the products of Kiteworks, e.g. through tests, is strictly confidential and constitutes trade secrets, which is why it may only be shared with third parties with the express written permission of Kiteworks.

  • Do not disclose confidential information, including details of your submission, without Kiteworks's prior and express consent.
  • Do not violate any applicable laws or regulations.
  • You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by Kiteworks.
  • If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.

Changes to this Policy

We may update this policy from time to time. The latest version will always be available on our website. By continuing to participate in our vulnerability disclosure program, you agree to be bound by the terms of the updated policy.

Contact Information

If you have any questions about this policy or the vulnerability reporting process, please contact us at ???

Thank you for helping us to keep Kiteworks and our users safe.