Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Concierge Live welcomes third-party vulnerability disclosures in accordance with the following terms and conditions. For inquiries regarding this policy, please contact [email protected].

1. Good Faith Engagement

Concierge Live commits to engaging with security researchers in good faith. We value the contribution of the security community in enhancing our product's integrity and recognize that responsible third-party disclosure benefits the broader ecosystem.

2. Duty to Report and Non-Disclosure

Upon discovery of a potential vulnerability, researchers must submit a report to Concierge Live within one (1) business day. Researchers agree to cease further exploitation and maintain strict confidentiality regarding their findings. If Concierge Live validates the finding, the researcher agrees to a non-disclosure period of 90 days (or the following business day thereafter), during which the finding may not be shared with any third party.

3. Final Determination of Severity

Concierge Live retains sole discretion in determining the severity and impact of any reported vulnerability. While we welcome researcher input regarding risk assessment, Concierge Live’s internal evaluation will serve as the final classification.

4. Compensation and Recognition

Participation in this program does not guarantee financial compensation. Concierge Live is under no legal obligation to provide payment for any report, regardless of whether a fix is implemented.

  • Eligibility: Generally, Concierge Live prioritizes compensation for validated findings classified as Critical, High, or Medium.

  • Exclusions: Reports classified as Low or Informational typically do not qualify for payment.

  • Networking: For researchers providing high-quality findings, Concierge Live may offer professional referrals or introductions to established industry bug bounty programs.

5. Severity Definitions

The following categories serve as a non-exhaustive guide for how Concierge Live evaluates reports. Please note that context may cause a specific vulnerability to be classified differently than the examples listed below:

  • Critical: Broken access control, exposure of sensitive customer data, session token theft, or unauthorized privilege escalation.

  • High: IDOR, stored XSS/CSRF with significant impact, internal SSRF, or lateral authentication bypass.

  • Medium: IDOR, reflective XSS, or CSRF with moderate impact.

  • Low: SSL misconfigurations or XSS/CSRF with limited exploitability.

  • Informational: Automated scanner outputs, non-weaponizable issues, theoretical or esoteric vulnerabilities, and previously known issues.

6. Reproducibility

To be validated, a report must include clear, actionable steps that allow Concierge Live to independently reproduce the vulnerability.

7. Third-Party Dependencies

If a vulnerability is identified within a third-party tool or library utilized by Concierge Live, we may redirect the researcher to the affected vendor. In certain instances, Concierge Live may facilitate the reporting process to the third party.

8. Legal Eligibility

Eligibility for compensation is subject to international, federal, and local laws. Concierge Live reserves the right to make final determinations on a researcher's eligibility to receive funds.

9. Consolidation of Reports

If multiple reports originate from a single root cause, Concierge Live may consolidate them into a single case for the purposes of evaluation and compensation.

10. Submission Process

All findings should be submitted via email to [email protected]. If a report contains highly sensitive information, please contact us at the same address to request instructions for secure, out-of-band communication.