Vulnerability Disclosure Policy
BLEND welcomes and values the efforts of Security Researchers (the “Researchers”) to contribute to the security of our systems and services. We encourage researchers to responsibly disclose any suspected vulnerabilities they discover in accordance with this Vulnerability Disclosure Policy. By submitting the form below and clicking “Submit”, you acknowledge that you have read, understood, and agreed to the guidelines outlined in this policy.
BLEND commits to not pursuing legal action against individuals who discover and report vulnerabilities, in full accordance with the following guidelines.
Confidentiality and Data Usage:
During the identification of a suspected vulnerability, any information collected about BLEND, its clients, its suppliers, its employees and/or any other related party must be treated confidentially and only used in connection with the Vulnerability Disclosure Policy. You may not disclose, distribute, or otherwise use any such confidential information, including details related to your submission and information obtained while researching BLEND sites, without prior written consent from BLEND.
While we appreciate responsible reporting of vulnerabilities, the following actions are strictly prohibited:
- Executing or attempting Denial of Service (DoS) attacks against any product or website.
- Posting, transmitting, uploading, linking to, sending, or storing any malicious software or ransomware.
- Engaging in acts of cyber extortion, including threats related to BLEND data or client data availability unless a payment is received.
- Performing social engineering activities targeting BLEND employees, contractors, clients, or prospective clients, including phishing or unsolicited communications.
- Conducting unapproved vulnerability or penetration testing.
- Selling, trading, or otherwise benefiting from vulnerabilities or data that do not belong to you.
- Downloading, exfiltrating, copying, or retaining BLEND data or client data that is not rightfully yours. Note: If unintended data is discovered as a result of a vulnerability, it must be removed from unauthorized systems, and any further exploitation attempts must cease immediately.
- Deliberately destroying, corrupting, or modifying data that is not rightfully yours.
- Violating any applicable international, federal, state, and/or local laws or agreements.
To report a vulnerability, please use the provided form. We will then work to validate and address the reported issue. We request that you provide us with reasonable time to investigate and respond before making any further disclosures.
BLEND assures Researchers that we will not take any retaliatory action against them for good-faith vulnerability reporting.
For any questions or concerns related to this policy or the vulnerability reporting process, please contact [email protected]
BLEND is committed to maintaining a secure environment and appreciates the assistance of the security community in achieving this goal. Your adherence to this policy is essential for ensuring responsible and productive collaboration between security researchers and BLEND.