Vulnerability Disclosure Policy
April 2025
Vulnerability Disclosure Policy
Wellspring Worldwide Inc. is committed to ensuring the security of our customers by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our systems.
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly, and Wellspring Worldwide Inc. will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Reporting security vulnerabilities found in our production environment
You are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or attempt to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, the expectation is that you will not exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.
Per our policy, if you wish to take part in the Wellspring Vulnerability Disclosure Program, you are expected to follow these guidelines:
Cause no harm. Any exfiltration or downloading of Wellspring data, disclosure of confidential information, and/or disrupting our customers’ experience are all outside the scope of this program and outside any protections it affords from legal recourse.
Demanding payment in return for destruction of Wellspring data will result in you being viewed and treated as a threat rather than a participant in our program.
Test methods
The following test methods are not authorized:
Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
Within 3 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.
Questions Questions regarding this policy may be sent to infosec@wellspring.com. We also invite you to contact us with suggestions for improving this policy.