Vulnerability Disclosure

Introduction

This vulnerability disclosure policy (the “Policy”) applies to any vulnerabilities you are considering reporting to Arctic Wolf (the “Organization”) so long as the domain is listed in the In-Scope-Domains below. This Policy incorporates by reference the terms and conditions contained in Arctic Wolf’s Terms of Use and Privacy Notice. By participating in finding vulnerabilities in any manner, you accept the terms of this Policy. If you do not agree, you may not participate.

Before attempting to find any security vulnerabilities or reporting a vulnerability to us, you must read this Policy in full and always act in compliance with it.

The Organization reserves the right to modify or terminate the terms of this Policy at any time. Please check this Policy regularly as we routinely update our program terms and eligibility, which are effective upon posting. We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer rewards for vulnerability disclosures.

Reporting

If you believe you have found a security vulnerability relating to the Organization’s system, please submit a vulnerability report to the address defined in the CONTACT field of the published security.txt file. Do not contact Arctic Wolf through any channels not covered in our security.txt file.

Arctic Wolf employees, Arctic Wolf contractors, or Arctic Wolf suppliers or any persons related to or otherwise affiliated with Arctic Wolf employees or contractors or suppliers may not submit to this program.

Note : Arctic Wolf reserves the right to block attempts that violate the rules of this program. For example excessive scan traffic may result in automated blocking.

In your report, please include details of:

• The website, IP or page where the vulnerability can be observed;
• A brief description of the type of vulnerability, for example, “XSS vulnerability”;
• Please submit as only sufficient details for us to reproduce your findings. Provide examples, and working proof of concepts. These should be benign and non-destructive. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

After you have submitted your report, we aim to respond to your report as quickly as possible. Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. We simply ask that you provide us a reasonable amount of time (at least 90 days from the initial report) to respond to the issue. This allows our teams to focus on the remediation. We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Confidentiality

You agree to maintain all submissions as confidential and shall not disclose any submission or portion thereof (including, but not limited to, any vulnerability or feedback) to any third party. You shall not attempt to access any of the Organization’s (or its employees’, customers’, clients’, contractors’, or service providers’) files, personal information, or other data. The Organization has no obligation to keep any submission confidential.

Guidance

You must NOT:

• Break any applicable law or regulations;
• Access unnecessary, excessive, or significant amounts of data. Provide only a simple proof of concept with the least amount of data exfiltration;
• Affect the availability, integrity, or confidentiality of any sensitive, personal, or non-public information of data;
• Use high-intensity, invasive or destructive scanning tools to find vulnerabilities;
• Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers;
• Communicate any vulnerabilities or associated details other than by means described in the published security.txt;
• Social engineer, ‘phish’ or physically attack the Organization’s staff or infrastructure;
• Use any “robot”, “spider” or other automatic device, program, script, algorithm, or methodology, or any similar or equivalent manual process, to access, acquire or copy any vulnerabilities;
• Submit any submissions listed in the “Out-of-Scope/Best Practices” section;
• Demand financial compensation in order to disclose any vulnerabilities; and
• Disclose any vulnerabilities or the content of submissions to any third parties (including any media or posting) without the Organization’s prior written consent on a case-by-case basis.

You must:

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder;
• Always comply with data protection rules and respect the privacy of any data the Organization holds;
• Protect any downloaded data and vulnerability details from disclosure except as provided within this policy;
• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection laws and regulations);
• Submit detailed reproduction steps. Reports based only on automated tool/scanner results or which describe theoretical attack vectors without proof of exploitability may not be accepted;
• Coordinate any disclosure through the channels described within this document.

Focus Areas:

• Privilege escalation (horizontal or vertical);
• SQL or command injection;
• Cross-site scripting;
• Remote Code Execution;
• Cross-Site Request Forgery;
• Information Disclosure; and
• Security Decisions via Untrusted Inputs.

In-Scope-Domains

analytics.us001-prod.arcticwolf.net dashboard.arcticwolf.com docs.arcticwolf.com eloc.global-prod.arcticwolf.net portal.arcticwolf.com prp.prp.prod.global-prod.arcticwolf.net rendall.us001-prod.arcticwolf.net risk.artcicwolf.com services.risk.us001-prod.arcticwolf.net

cyberjumpstart.arcticwolf.com td-classic.arcticwolf.com cyberjumpstart-reg.arcticwolf.com/cjs/m3

Out-of-Scope Vulnerabilities/Best Practices

• Vulnerabilities on systems that are not owned and operated by Arctic Wolf including third party services utilized by Arctic Wolf;
• Denial-of-Service Vulnerabilities;
• Brute Force Vulnerabilities;
• Vulnerabilities require the use of out of date browsers/old plugins/end-of-life software browsers;
• Vulnerabilities which require physical access to a user's device;
• Non-sensitive information available via our Content Delivery Network or public websites;
• Missing additional security controls, such as HSTS or CSP headers that do not directly result in vulnerabilities;
• Cookies missing security flags (for non-sensitive cookies);
• Clickjacking type Vulnerabilities;
• Banner Exposure / Version Disclosure;
• Presence of autocomplete attribute on web forms;
• Additional missing security controls that do not directly result in vulnerabilities, often considered “Best practice”, such as certificate pinning, mitigating information disclosures, SPF or DMARC configuration, TLS cipher suites;
• Infrastructure and hardware vulnerabilities.

Legalities

This Policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Organization or partner organizations to be in breach of any legal obligations.

Submission License

By submitting your research to the Organization, you grant the Organization a non-exclusive, irrevocable, perpetual, royalty free, fully paid-up, worldwide, sub-licensable license to the intellectual property in your submission for any purpose in which the Organization may use it for.

You agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above, and you understand that you are not guaranteed any compensation or credit for use of your submission.

By providing submissions to the Organization, you represent and warrant that your submission is your own work and that you have the full legal right to submit the research to the Organization.

Safe Harbor

Our Safe Harbor supports the protection of organizations and individuals engaged the vulnerability research in compliance with this Policy.

We consider vulnerability research conducted with a good faith effort to comply with our Policy to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (“TOS”) and/or Acceptable Use Policies (“AUP”) that conflicts with the standard for Good Faith Security Research outlined here.

We consider vulnerability research conducted with a good faith effort to comply with our Policy to be authorized activity concerning any applicable anti-hacking laws, including the Consumer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) and we will not initiate or support legal action against you under these laws.

If research is conducted in accordance with our Policy, the Organization will:

• not bring legal action against you or report you, including for bypassing technological measures we use to protect the applications in scope; and,
• will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

If you have questions or need clarification about our Policy, please contact us before engaging in conduct that could be inconsistent with this Policy.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Please note the Organization is not able to authorize security research on third-party infrastructure, and a third party is not bound by this Safe Harbor.

Any vulnerability research in violation of this Policy is not covered under this Safe Harbor. The Organization reserves all rights and legal remedies available under the law.

This Policy does not provide you authorization to intentionally access company data or data from another person's account without their express consent, including (but not limited to) personal information or data as defined by applicable laws or data relating to an identified or identifiable natural person.

Liability

YOU ASSUME ALL RESPONSIBILITY AND RISK FOR YOUR PARTICIPATION IN VULNERABILITY RESEARCH. IN NO EVENT SHALL THE ORGANIZATION (OR ANY OF ITS OFFICERS, DIRECTORS, SHAREHOLDERS, EMPLOYEES, SUBSIDIARIES, AFFILIATES, AGENTS OR ADVERTISERS), BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, LOST PROFITS, OR DAMAGES RESULTING FROM LOST DATA, LOST EMPLOYMENT OPPORTUNITY, OR BUSINESS INTERRUPTION) RESULTING FROM OR ARISING UNDER OR IN CONNECTION WITH YOUR PARTICIPATION OR THIS POLICY.

IN NO EVENT SHALL THE ORGANIZATION (OR ANY OF ITS OFFICERS, DIRECTORS, SHAREHOLDERS, EMPLOYEES, SUBSIDIARIES, AFFILIATES, AGENTS OR ADVERTISERS), BE LIABLE FOR ANY DAMAGES IN EXCESS IN THE AGGREGATE OF US $200.00.

Injunctive Relief

A breach by you of this Policy may cause irreparable and continuing damage to the Organization for which money damages are insufficient, and The Organization shall be entitled to injunctive relief and/or a decree for specific performance and such other relief as may be proper (including money damages if appropriate) without the necessity of posting a bond.

Indemnification

You agree to indemnify and hold harmless the Organization for any loss or damage suffered as a result of any breach of this Policy, including reasonable attorneys’ fees and costs incurred by the Organization.

Governing Law and Forum

This Agreement shall be governed in all respects by the laws of the United States of America and by the laws of the State of Delaware, USA without regard to conflicts of laws principles. You irrevocably consent to the exclusive personal jurisdiction of the federal and state courts located in Delaware.

Changes to these Terms

We may change the terms of this Policy at any time. We will post any changes to our website and post the effective date when updated. If you do not agree to the new Policy, you must not participate.

Contact

As defined in the security.txt file.