The safety and security of user information is a top priority at Sierra Interactive, and something that is extremely important to us. To that end, we are receptive to, and grateful for, the contributions of any external security researchers who wish to assist us in maintaining the security of this user information.
The following properties are in scope for researching potential vulnerabilities:
should you discover a vulnerability in our software, we request that you contact our team at email@example.com to submit your report. Please include the following information in your report:
- A description of the vulnerability discovered.
- Clear and detailed steps to reproduce the vulnerability.
- Any plans that you have for disclosure.
We will respond to your emailed report within 3 business days. This response will include solicitation of additional information about the vulnerability, if required, as well as our initial assessment of the reported vulnerability. In the case that we are able to verify the reported vulnerability, we will coordinate with you on an estimate timeline for the publication of a patch, and an estimated timeline for public disclosure. We ask that you not publicly disclose the vulnerability ahead of the patch publication and our own public disclosure.
We will provide credit to the external security researcher who discovered the verified vulnerability on our website, sierrainteractive.com.
Please note: we will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy, and we will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with Sierra Interactive’s vulnerability disclosure policy, Sierra Interactive will take steps to make it known that your actions were conducted in compliance with this policy. Please submit a report to us at firstname.lastname@example.org before engaging in conduct that may be inconsistent with or unaddressed by this policy.
This vulnerability disclosure policy is subject to change.