A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto: security@tulip.co
Preferred-Languages: English

# TULIP RESPONSIBLE VULNERABILITY DISCLOSURE POLICY

Security is one of Tulip's fundamentals. We highly value the time and effort invested in good faith by security researchers in helping us build a more secure platform for our partners and users. As such, we encourage the responsible disclosure of vulnerabilities related to Tulip’s SaaS offering.

If you are a security researcher and have discovered a security vulnerability in our platform, we appreciate your help in disclosing it to us in a responsible manner. If you would like to report a security issue, such as a vulnerability or an incident, you may do so with an email addressed to security@tulip.co.

## Ground rules

To prevent any confusion between responsible security research and malicious conduct, we ask that you observe the following protocols when discovering, testing, and reporting vulnerabilities:

- Ensure that you only interact with test accounts that you have personally created on the platform;
- Avoid using automated scanning tools on our assets, as this may be interpreted as a potential DDoS attack and would be in violation of our Website Terms of Use;
- Refrain from employing physical attacks, social engineering tactics, DDoS attacks, or spam in your testing;
- Avoid conducting security tests on third-party products and services that Tulip relies on for its operations (e.g., Zendesk);
- Should you gain unauthorized access to any data or systems, restrict the scope of access to the minimum necessary for demonstrating your proof of concept. If you encounter any personally identifiable or proprietary information, halt testing immediately and submit a report;
- Ensure that your actions do not infringe on others' privacy, disrupt our systems, destroy data, or negatively impact the user experience;
- Report any vulnerability you've discovered promptly. Do not take advantage of the vulnerability or problem;
- Use only the designated communication channels provided to report or discuss vulnerabilities, and include sufficient detail to help us resolve the issue promptly;
- Refrain from publicly disclosing any discovered vulnerabilities or sharing them with third parties until you receive formal written authorization from us; and
- Do not engage in any fraudulent activities or, except for the purpose outlined in this Policy, exploit vulnerabilities against us, our partners, or our users in any way.


## In Scope Domain

- your-own-instance.tulip.co ; Please don't test any other customer instance beside your own trial instance

## Out of scope domains

Anything other than your own tulip instance

## Out-of-Scope Vulnerabilities

# - Don't use scanners or automated tools to find vulnerabilities.
# - No rate limit tests or assessments
# - Click-jacking / UI redressing
# - Incomplete or missing SPF/DMARC/DKIM records
# - Low impact information disclosures such as software version disclosure
# - Missing Cookie flags
# - Vulnerabilities requiring the use of outdated browsers, plugins or platforms
# - Vulnerabilities having low or no security implications.
# - Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)

## Communication

If you think you've found a vulnerability, please do not publicly disclose these details outside of this process without explicit permission. Please do your best to include with your report the following details and be as descriptive as possible:

- The exact location (vulnerable URLs and parameters) and the nature of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (screenshots, screen recordings, and proof-of-concept scripts are all helpful if applicable); and
- A relevant example attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.


## Expectations

When working with us according to this Policy, you can expect us to:

- Acknowledge or dismiss the finding and work to remedy acknowledged vulnerabilities in a timely manner;
- Handle your report with confidentiality and respect written requests for anonymity; and.
- On a case by case basis, credit you for the finding where appropriate.


## Legal Matters

When you conduct vulnerability research in good faith and in compliance with the guidelines outlined in this Policy, we regard such research as:

- Legally permissible and aligned with applicable state laws concerning computer fraud. We will not pursue any legal action against you for bypassing technological controls; and
- Exempt from restrictions in our Website Terms of Use, but only to the extent necessary to facilitate legitimate security research and only to the extent in compliance with this Policy.

We commit to not taking legal action if you responsibly identify and report security vulnerabilities. However, Tulip retains all legal rights in the event of any breach of this Policy.

If you have any doubts or concerns about whether your security research aligns with this Policy, please contact us through the specified communication channels before proceeding further.