Vulnerability Disclosure Policy

Last updated: May 11, 2023

1. PURPOSE

This policy has been created to provide guidelines for coordinated and responsible disclosure of previously unknown security vulnerabilities.

We take the security of our systems seriously, and we value the security community. The coordinated disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

2. SCOPE

This policy applies to the responsible disclosure of vulnerabilities identified in LeoLabs products and systems.

3. VULNERABILITIES

LeoLabs believes in maintaining a good relationship with security researchers, and we strive to acknowledge them (if desired). Additionally, LeoLabs strives to work with vendors, partners and competitors in resolving product vulnerabilities in a timely manner. Coordinating the responsible public disclosure of a vulnerability is key to protecting our customers.

During remediation, all disclosed information about vulnerabilities is intended to remain between LeoLabs and the reporting party—if the information is not already public knowledge—until a remedy is available and disclosure activities are coordinated.

Public disclosure of LeoLabs product vulnerabilities from LeoLabs employees shall only go through appropriate channels by coordinating with Management and Marketing.

3.1 LeoLabs Product Vulnerabilities

If a third party identifies a verified vulnerability in compliance with LeoLabs Responsible Disclosure Policy, LeoLabs commits to:

1. Provide prompt acknowledgement of receipt of their vulnerability report.
2. Work closely with them to understand the nature of the issue and work on timelines for fix/disclosure together.
3. Remediate the identified vulnerabilities and/or provide compensating controls according to their severity:
   1. High and Critical: 30 days
   2. Moderate: 90 days
   3. Low and Informational: 180 days
4. Not pursue or support any legal action related to their research;
5. Work with them to understand and resolve the issue quickly (including an initial confirmation of the vulnerability report within 72 hours of submission);

4. RESPONSIBLE DISCLOSURE GUIDELINES

LeoLabs supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers and third-parties comply with the following Responsible Disclosure Guidelines:

1. To Report a Vulnerability, contact the LeoLabs Security Team (security@leolabs.space)
2. Keep information about any vulnerabilities you’ve discovered confidential between yourself and LeoLabs until we’ve had an appropriate amount of days to remediate based on severity.
3. Allow LeoLabs an opportunity to correct a vulnerability within the specified time frame before publicly disclosing the identified issue, in order to ensure that LeoLabs has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.
4. Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
5. Only use the identified communication channels to report vulnerability information to us; and
6. Do not modify, view, or destroy data that does not belong to you.

Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after release of a security patch or update. LeoLabs advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.