> ## Documentation Index
> Fetch the complete documentation index at: https://honeydew.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability Disclosure Policy

Honeydew Data Inc. ("Honeydew Data") welcomes security research and responsible disclosure
of vulnerabilities.
We believe that collaboration with the security community helps improve the security
and privacy of our users and customers.

## Scope

This policy applies to all internet-facing systems, services, and applications owned,
operated, or controlled by Honeydew Data.

The following are explicitly out of scope:

* Third-party systems or services not owned or controlled by Honeydew Data
* Physical security of Honeydew Data offices or data centers
* Social engineering of Honeydew Data employees or contractors
* Any systems or services for which Honeydew Data is not the responsible party

Testing of out-of-scope systems is strictly prohibited.

## Good Faith Security Research

We authorize good faith security research conducted in accordance with this policy.
Good faith research includes activities intended to identify and report security
vulnerabilities without exploiting them for personal gain, causing harm,
or violating user privacy.

Researchers are expected to:

* Avoid privacy violations, data destruction, and service disruption
  (e.g., denial-of-service)
* Refrain from social engineering, phishing, or physical security attacks
* Only access data necessary to demonstrate the vulnerability
* Not test third-party systems or services
* Not perform automated scanning or testing without prior written permission
  from Honeydew Data
* Not attempt to gain access to accounts or data that do not belong to them

## Safe Harbor

Honeydew Data considers security research conducted in good faith and in compliance
with this policy to be authorized.
We will not pursue or support legal action related to such research under the
Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA),
or similar laws, provided the researcher has fully complied with all terms
and conditions of this policy.
Any deviation from this policy may result in loss of safe harbor protections.

If legal action is initiated by a third party against a researcher acting in strict
accordance with this policy, we will take steps to make it clear that the research
was conducted pursuant to this policy, provided the researcher has fully complied
with all requirements herein.

## Disclosure

Researchers must keep all vulnerability information confidential until Honeydew Data
has completed remediation or until a mutually agreed upon coordinated disclosure date.

After remediation or after the coordinated disclosure window, researchers may publish
their findings only on a non-attributable ("no name") basis, meaning they may not
identify Honeydew Data or make disclosures that reasonably enable others to identify
Honeydew Data as the affected party.

Specifically, researchers must not disclose:

* The name "Honeydew Data," our affiliates, or any of our products or services
* Domain names, IP addresses, system identifiers, or infrastructure details
  associated with Honeydew Data
* Customer information, internal systems, or operational details
* Any proprietary or sensitive information obtained through research

Researchers may describe the vulnerability, technical root cause, impact,
and exploit methodology in an abstract, anonymized manner that does not reveal
the affected organization.

Researchers must provide Honeydew Data with seven (7) days' advance notice prior
to any public disclosure to confirm that the disclosure remains non-attributable
and does not include sensitive information.
Honeydew Data will not unreasonably withhold or delay feedback.

## Reporting

Please report vulnerabilities by emailing: [security@honeydew.ai](mailto:security@honeydew.ai).

Reports must include:

* A detailed description of the vulnerability
* Steps to reproduce the issue
* The potential impact
* Any relevant supporting materials (e.g., screenshots, proof-of-concept code)
* Contact information for follow-up

Honeydew Data will acknowledge receipt of reports within five (5) business days
and will provide status updates as appropriate.

## Disclaimer

Honeydew Data provides this policy on an "as is" basis and makes no warranties,
express or implied, regarding the policy or any activities conducted under it.
Honeydew Data assumes no liability for any actions taken by researchers
or for any damages or losses resulting from participation in this policy.

## No Guaranteed Compensation or Bug Bounty

Submission of a report does not entitle the researcher to any guaranteed form
of payment or reward.
Honeydew may, at its discretion, offer compensation, rewards, or bug bounties
for vulnerability disclosures submitted under this policy.
Any such compensation will be determined on a case-by-case basis and is subject
to the prior execution of a Vulnerability Disclosure Agreement.
Submission of a report does not guarantee eligibility for any form of compensation
or reward.

## Policy Changes

Honeydew Data reserves the right to modify or terminate this policy at any time
without notice.
This policy does not create any contractual rights, obligations, or guarantees,
and Honeydew Data reserves all rights not expressly granted herein.
