CONDITION BLACK POLICIES RELATED TO:

Legal and Other Threats made against CONDITION:BLACK (#threats)

Policy Purpose and Acknowledgement of Acceptance

Organizations displaying the disclose.io logo are committing to a set of Core Terms focused on creating safe harbor for good-faith security research. In order to uphold this commitment, such organizations are also required to provide clear definitions regarding the permitted Scope for such research, one or more Official Communication Channels, and a formal Disclosure Policy. Condition:Black is committed to a safer internet and works diligently with other security researchers and organizations to protect public and private assets. We believe that good-faith security research and responsible and coordinated disclosure of data breaches, security vulnerabilities, product vulnerabilities (CVE) are ethical, legal and in the best interest of the public (Public Good). We also believe that it is our obligation as a cybersecurity research firm to provide timely and accurate information to affected organizations when our researchers stumble upon or identify a potential security issue affecting a private organization which is publicly accessible and “at risk”. Below we have set out our Vulnerability Disclosure and Breach Disclosure Policy along with contact information and official communication channels by which any organization may contact us to disclose a vulnerability in Condition:Black assets or to coordinate with us during a responsible and coordinated disclosure initiated by our Disclosure Outreach Team.

Policy

CONDITION:BLACK is a security research and cybersecurity solutions company and recognizes that we have a responsibility to our customers and the community to be held to a higher standard due to the inherent nature of our business. The confidentiality, integrity, and availability of data acquired, processed, and stored by CONDITION:BLACK is vital to the interests of our organization and its clients.

The CONDITION:BLACK security team acknowledges the valuable role that independent security researchers play in internet security and we consider our own independent research to be a valuable contribution to internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. CONDITION:BLACK is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.

Please review these terms before you test and/or report a vulnerability or engage with our Coordinated Vulnerability Disclosure Team. Please note that by engaging with us after an initial disclosure where this policy has been specifically referenced you are agreeing to abide by the same terms and conditions herein as if they were your own written policy.

Safe Harbor

CONDITION:BLACK pledges not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.

CONDITION:BLACK does not permit the following types of security research:

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

Scope:

Reporting a potential security vulnerability:

For a vulnerability or breach disclosure to be covered by CONDITION:BLACKS policy we ask that you privately share the details of the suspected vulnerability or breach with CONDITION:BLACK by sending an email to security@condition.black or you can send us a secured email using our public key (Click the icon below to download the public key from our server:

Disclose.io

Rewards

Should a vulnerability or breach be disclosed CONDITION:BLACK may wish to reward a researcher with monetary compensation. This is handled on a case by case basis and is subject to all local/state/federal/international tax and financial laws. Under no circumstances will CONDITION:BLACK pay any ransom or other reward for any report which attempts to extort or otherwise threatens to cause monetary, reputational, tort, civil or criminal damages to our customers, organization, employees, volunteers, contractors and officers. Any attempt to do so will be immediately reported to the appropriate authorities including the FBI, INTERPOL, U.S. Secret Service, State and Local law enforcement agencies and International law enforcement agencies where appropriate.

The CONDITION:BLACK security teams commitment:

If you responsibly submit a vulnerability or breach report, the CONDITION:BLACK security team and associated development and disclosure groups will use reasonable efforts to:

We are happy to thank every individual researcher who submits a report helping us improve our overall security posture at CONDITION:BLACK.


Coordinated Disclosure TO an organization:

CONDITION:BLACK security researchers and volunteers engage in extensive internet wide research on a variety of threat vectors and breach detection activities. These activities are all conducted as legitimate research work and are supervised by our principal security researchers. We believe it is our obligation as good internet citizens to responsibly notify organizations who may be identified as part of a research or breach detection/discovery activity of any discoveries made by our team.

By engaging with us beyond the initial disclosure notification you and your organization agree not to initiate legal action against CONDITION:BLACK, its security researchers, officers, volunteers or contractors for all activities related to the information discovery and validation/attribution research or during the disclosure and notification process.

Notification (Disclosure) to organizations

Our team will notify affected or potentially affected organizations of any breach or security vulnerabilities identified during passive and/or active research/discovery. That notification may include the following methods of notification:

STATEMENT OF INTENT DURING DISCLOSURE TO YOU:

We are a cybersecurity research team and our goal is to aid organizations in identifying and mitigating immediate security threats in order to provide a safe and secure internet for everyone.

Condition Black operates in accordance with ALL Federal, State, and International Laws regarding vulnerability and data breach disclosures. Under no circumstances will we ever solicit any organization, entity, vendor or individual for any financial payment or “ransom” for any information provided as part of a responsible disclosure.


Bounty Rewards, Recognition, Compensation and other FAQ:

Q: My organization has received a valid disclosure and we wish to reward your organization for its efforts. Do you accept or receive bounty rewards, compensation, public recognition for your disclosures?

A: While we do accept recognition and bounties where the notified entity offers or has an existing program we only do so on a voluntary basis and at the invitation or discretion of the organization providing the “reward” or “bounty”.

Q: Are you attempting to find vulnerable companies in order to make money off of them?

A: Our principal goal is to make the internet safer. We are a for-profit organization and we are open to engaging with companies who may wish to use our services. However, If we reached out to you it is because we want to make you aware of a security issue not to solicit you as a customer. If you wish to engage our services we will be happy to discuss this with you to see if it is a fit. We accept a limited number of customers each year through our program and not every organization will meet our requirements. This allows us to carefully select organizations that would benefit the most from our solutions and services.

Q: My company received a Disclosure Notification from disclosure@condition.black or security@condition.black. Is this a ransom for data or vulnerabilities you claim to have discovered?

A: We will NEVER demand any compensation for an unsolicited responsible disclosure. RANSOM AND RANSOMEWARE IS A CRIME. ANYONE WHO MAKES ANY ATTEMPTS TO EXTORT/RANSOME OR FORCE YOU TO MAKE ANY REMUNERATION IN EXCHANGE FOR INFORMATION FOUND DURING A RESEARCH ENGAGEMENT IS BREAKING THE LAW. IF YOU BELIEVE YOU HAVE RECEIVED ANY COMMUNICATIONS FROM US THAT MEET THIS CRITERIA PLEASE NOTIFY OUR LEGAL TEAM IMMEDIATELY SO THAT WE CAN INVESTIGATE IT BY SENDING ANY INFORMATION YOU HAVE TO LEGAL@CONDITION.BLACK. IF YOU RECEIVED A RANSOM AND YOU BELIEVE YOU ARE BEING TARGETED PLEASE REPORT ALL RANSOM ATTEMPTS TO YOUR LOCAL LAW ENFORCEMENT AGENCY IMMEDIATELY.

Q: My organization or client has received a notification from you and we are interested in keeping this “under wraps”. We would prefer to handle this internally since we have no evidence of anyone accessing this information. What arrangements can be made to secure CONDITION:BLACK researchers descretion and prevent public disclosure of the vulnerability or breach?

A: We will not accept any promises or compensation whether tangible or intangible in order to delay, hide, or limit the fallout of any breach of personal data by a data processor or data owner. Any attempts to avoid or unnecessarily delay notification in a timely and ethical manner to the appropriate authorities of a personal data breach where a data subjects rights under CCPA, GDPR or any other privacy regulation/law may be infringed will result in an immediate and public disclosure to both the authority with jurisdiction and the media. This is non-negotiable. Should your organization gain approval to delay the notification from the appropriate authorities we will accept the data privacy authorities judgement and abide by their written terms. This MUST be provided to us by the data privacy authority or attorney generals office (if U.S. entity).


Policy regarding legal or civil threats, personal threats or other attempts to suppress or intimidate:

The work we do can be filled with risk, and not surprisingly some organizations and individuals take our legal, ethical and responsible disclosures as a threat. We have extensive experience dealing with these situations, and we are WELL VERSED in CFAA, DCMA, and international laws related to our research. We do not exceed authorized access during our scanning and research efforts. We believe that what we do is imperative and that it is legal, and we stake our reputation on it daily. We ask that you remember WHY we reached out to you, and the intent of our engagement with your security team. We engage with organizations that could certainly attempt to “crush” us with legal threats and civil suits but we believe most of these are simply to protect an organizations reputation or to limit their liability. It is our intention to help organizations limit that liability and the damage that might be caused by a breach or vulnerability BEFORE a bad actor takes advantage of it. We are on your side, and we want to work WITH you not against you. With that intent we also want to be clear in what you can expect from us should you or y our organization threaten us or become aggressive in any manner. We ask that you please act responsibly and professionally, and we will do the same.

Policy