Responsible Disclosure Policy
Revised 08/16/2024
RICS Software, Inc. is providing this service to help ensure a safe and secure environment for all users.
This policy applies to RICS Software, Inc. hosted applications and to any other subdomains or services associated with products. RICS Software, Inc. does not accept reports for vulnerabilities which solely affect marketing websites (ricssoftware.com), containing no sensitive data.
Security researchers must not:
- engage in physical testing of facilities or resources,
- engage in social engineering,
- send unsolicited electronic mail to RICS Software, Inc. users, including “phishing” messages,
- execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
- introduce malicious software,
- execute automated scans or tools that could disrupt services, such as password guessing attacks, or be perceived as an attack by intrusion detection/prevention systems,
- test in a manner which could degrade the operation of RICS Software, Inc. systems; or intentionally impair, disrupt, or disable RICS Software, Inc. systems,
- test third-party applications, websites, or services that integrate with or link to or from RICS Software, Inc. systems,
- delete, alter, share, retain, or destroy RICS Software, Inc. data, or render RICS Software, Inc. data inaccessible, or,
- use an exploit to exfiltrate data, establish command line access, establish a persistent presence on RICS Software, Inc. systems, or “pivot” to other RICS Software, Inc. systems.
Security researchers may:
- View or store RICS Software, Inc. nonpublic data only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must:
- cease testing and notify us immediately upon discovery of a vulnerability,
- cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
- purge any stored RICS Software, Inc. nonpublic data upon reporting a vulnerability.
Thank you for helping to keep RICS Software, Inc. and our users safe!