INTRODUCTION

This Vulnerability Disclosures Policy (“Policy”) is designed to guide individuals (“Researchers” or “Finders”) who have discovered potential security vulnerabilities in our networks, applications, digital services, websites, data processes and information systems. We aim to address such vulnerabilities responsibly and efficiently, safeguarding the security and privacy of our users and the integrity of our digital assets. 

1. PURPOSE and OBJECTIVES

This Policy aims to establish a transparent process for reporting and managing security vulnerabilities in systems owned, operated or maintained by Turn.io PBC, Benefit Corporation (“Turn.io”). Our objectives include ensuring our data and systems' confidentiality, integrity, and availability, fostering a cooperative relationship with the security research community, and continuously improving our security posture.

2. SCOPE 

This Policy applies to all security vulnerabilities discovered within digital assets owned, operated, or maintained by Turn.io, including our websites, applications, internal networks, customer data systems, and third-party services integrations.

3. GUIDELINES for RESEARCHERS/FINDERS

This Policy provides a guideline for a Researcher/Finder disclosing a vulnerability to follow while also defining the appropriate response from Turn. This approach confidently enables the researcher/finder and us to cooperate within an agreed framework. 

The following basic requirements are expected from the Researcher: 

To conduct vulnerability discovery activities ethically and legally;

1. Refrain from actions that could cause harm, such as denial of service, accessing or modifying data, or interrupting or degrading services;
2. To ensure that any and all testing remains legal;
3. To cease testing and report immediately upon discovery of a vulnerability; 
4. To avoid disclosure of vulnerability details to the public or third parties without prior consent, and lastly 
5. To ensure responsible handling of sensitive data, if encountered during research.

The outline suggested to use for the Vulnerability Disclosures Report:

• Type: Concise summary categorizing the vulnerability and the site or application where it can be found
• Asset: Web address, IP address, product or service name 
• Severity (What is CVSS - Common Vulnerability Scoring System): Low / Medium / High / Critical (CVSS)
• Description of the vulnerability: Include a summary of the vulnerability, any supporting files (e.g. screenshot, video) and your recommendations
• Steps to reproduce: Provide clear steps to reproduce the vulnerability as well as proof of concept code
• Contact details: Your name and email address 
  

4. REPORTING PROCEDURE

To ensure the vulnerability information gets to the correct team member (within Turn.io), please direct any reports and/or queries to our dedicated email address at security@turn.io. We suggest reports include the following information: 

• Type or detailed description of the vulnerability
• Details on the asset such as web or IP address, product or service name
• The severity of the vulnerability
• Steps to reproduce the issue
• Any system information, if relevant
• Email address of the person reporting the issue 
• Any suggestions for mitigating the vulnerability
  

5. RESPONSE and COMMUNICATION

Upon receiving a report as detailed above, our Turn security team will: 

• Triage and assess the reported issue, and acknowledge receipt within 48 working hours (if so required by the assessed severity level).
• Provide an estimated timeline for resolution. 
• Keep the Researcher informed of progress. 
• Work to rectify any identified issues promptly and efficiently. 
• Responsibly discuss any potential public disclosures, if required or relevant.

6. SAFE REPORTING 
   

Researchers adhering to this Policy will not face legal action related to their findings. This clause encourages ethical reporting of vulnerabilities and responsible security research by protecting Researchers from the possibility of legal action, provided their actions are lawful.

7. PUBLIC DISCLOSURE POLICY

Details of vulnerabilities and their resolutions may be disclosed publicly, considering:

a) Whether the issue has been fully resolved;

b) Coordination with the Researcher;

c) Ensuring non-compromise of ongoing security measures; and

d) Aligning with industry best practices for responsible disclosure.

The Head of Legal and Compliance will review this Policy annually. Any concerns or comments on this policy can be referred to Linda Sadler at linda@turn.io 

All employees of Turn will receive training on an annual basis on the implementation and importance of this Policy.