Skip to main content
Honeydew Data Inc. (“Honeydew Data”) welcomes security research and responsible disclosure of vulnerabilities. We believe that collaboration with the security community helps improve the security and privacy of our users and customers.

Scope

This policy applies to all internet-facing systems, services, and applications owned, operated, or controlled by Honeydew Data. The following are explicitly out of scope:
  • Third-party systems or services not owned or controlled by Honeydew Data
  • Physical security of Honeydew Data offices or data centers
  • Social engineering of Honeydew Data employees or contractors
  • Any systems or services for which Honeydew Data is not the responsible party
Testing of out-of-scope systems is strictly prohibited.

Good Faith Security Research

We authorize good faith security research conducted in accordance with this policy. Good faith research includes activities intended to identify and report security vulnerabilities without exploiting them for personal gain, causing harm, or violating user privacy. Researchers are expected to:
  • Avoid privacy violations, data destruction, and service disruption (e.g., denial-of-service)
  • Refrain from social engineering, phishing, or physical security attacks
  • Only access data necessary to demonstrate the vulnerability
  • Not test third-party systems or services
  • Not perform automated scanning or testing without prior written permission from Honeydew Data
  • Not attempt to gain access to accounts or data that do not belong to them

Safe Harbor

Honeydew Data considers security research conducted in good faith and in compliance with this policy to be authorized. We will not pursue or support legal action related to such research under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or similar laws, provided the researcher has fully complied with all terms and conditions of this policy. Any deviation from this policy may result in loss of safe harbor protections. If legal action is initiated by a third party against a researcher acting in strict accordance with this policy, we will take steps to make it clear that the research was conducted pursuant to this policy, provided the researcher has fully complied with all requirements herein.

Disclosure

Researchers must keep all vulnerability information confidential until Honeydew Data has completed remediation or until a mutually agreed upon coordinated disclosure date. After remediation or after the coordinated disclosure window, researchers may publish their findings only on a non-attributable (“no name”) basis, meaning they may not identify Honeydew Data or make disclosures that reasonably enable others to identify Honeydew Data as the affected party. Specifically, researchers must not disclose:
  • The name “Honeydew Data,” our affiliates, or any of our products or services
  • Domain names, IP addresses, system identifiers, or infrastructure details associated with Honeydew Data
  • Customer information, internal systems, or operational details
  • Any proprietary or sensitive information obtained through research
Researchers may describe the vulnerability, technical root cause, impact, and exploit methodology in an abstract, anonymized manner that does not reveal the affected organization. Researchers must provide Honeydew Data with seven (7) days’ advance notice prior to any public disclosure to confirm that the disclosure remains non-attributable and does not include sensitive information. Honeydew Data will not unreasonably withhold or delay feedback.

Reporting

Please report vulnerabilities by emailing: [email protected]. Reports must include:
  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact
  • Any relevant supporting materials (e.g., screenshots, proof-of-concept code)
  • Contact information for follow-up
Honeydew Data will acknowledge receipt of reports within five (5) business days and will provide status updates as appropriate.

Disclaimer

Honeydew Data provides this policy on an “as is” basis and makes no warranties, express or implied, regarding the policy or any activities conducted under it. Honeydew Data assumes no liability for any actions taken by researchers or for any damages or losses resulting from participation in this policy.

No Guaranteed Compensation or Bug Bounty

Submission of a report does not entitle the researcher to any guaranteed form of payment or reward. Honeydew may, at its discretion, offer compensation, rewards, or bug bounties for vulnerability disclosures submitted under this policy. Any such compensation will be determined on a case-by-case basis and is subject to the prior execution of a Vulnerability Disclosure Agreement. Submission of a report does not guarantee eligibility for any form of compensation or reward.

Policy Changes

Honeydew Data reserves the right to modify or terminate this policy at any time without notice. This policy does not create any contractual rights, obligations, or guarantees, and Honeydew Data reserves all rights not expressly granted herein.