1. Promise

We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. We want to hear from you if you have information about a vulnerability in Collective[i]’s application!

2. Scope

https://intelligence.collectivei.com

Any services hosted by 3rd party providers are out of scope.

3. Process

You can send your report to: vdp@collectivei.com.

Please include the following information in your report:

• How you found the bug and the impact

• Detailed descriptions of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures, etc.)

• Any plans for public disclosure

What you can expect from us:

• A timely response to your email

• A reasonable timeline for patches and fixes if necessary (usually within 120 days)

• Credit after the vulnerability has been validated and fixed

• Collective[i]’s Security Team will monitor all disclosures

The following test types are not authorized:

• Network denial of service (DoS or DDoS) tests

• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Confidentiality

In order to protect our clients, we request that you keep any information about any vulnerabilities you’ve discovered confidential between yourself and Collective[i] and refrain from publicly posting or sharing any such information until we have had the opportunity to research, respond to and address the reported vulnerability and have informed our clients if necessary.

If applicable, Collective[i] will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.