Vulnerability Disclosure Policy

How to let us know if you find a security flaw in Marco Polo

Purpose and Overview

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Joya Communication Inc.’s Marco Polo app and submitting discovered vulnerabilities to Joya.

All technology contains bugs. Maintaining the security of our networks is a priority at Joya. If you've found a security vulnerability with Marco Polo or our websites such as https://marcopolo.me, we'd absolutely appreciate hearing from you.

Please review the following terms before conducting any testing of Joya’s networks and before submitting a report. And thank you in advance.

Reporting Process

If you believe you have found a vulnerability or security flaw, please submit it by emailing us at security@marcopolo.me. The report should include a detailed description of the vulnerability (including type of issue, product, version, and configuration of software containing the bug) with clear, step-by-step instructions to reproduce the issue.

Guidelines

Joya will deal in good faith with researchers who discover, test, and submit vulnerabilities in accordance with these guidelines:

  • Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • Report any vulnerability you’ve discovered promptly.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
  • Use only the official channels to discuss vulnerability information with us - e.g., emailing security@marcopolo.me, and do not publicly disclose any details of the vulnerability or the content of information rendered available by a vulnerability, except upon receiving written authorization from Joya.
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a vulnerability; and cease testing and submit a report immediately if you encounter any user information (such as names, emails, phone numbers or other personal user information as defined in our privacy policy) during testing.

Disclosure of Vulnerability

The contents of the report you submit will be made available to the Marco Polo team immediately, and will initially remain non-public to allow sufficient time to publish a remediation. After the report is closed, either party can publicly disclose the contents of the report if needed.

By default, the team will attempt to close all reports within 30 days or less.

Due to complexity and other factors, some vulnerabilities will require longer than 30 days to remediate. In these cases, the report will remain non-public to ensure that the Marco Polo team has an adequate amount of time to address the security issue.

We will attempt to be transparent in communications with the finder when such challenging cases present themselves.

Joya will not bring any legal action against anyone who makes a good faith effort to comply with this policy.

As long as you comply with this policy:

  • We consider your security research to be "authorized" under the Computer Fraud and Abuse Act.
  • We waive any restrictions in our Terms of Service that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.

You are responsible for complying with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email us at security@marcopolo.me before going any further.

Bug Rewards

We value the efforts that finders put in to identify bugs and vulnerabilities, however, we do not currently have a bug bounty program.

Other

We reserve the right to modify the terms of this policy or terminate the policy at any time.

Here is our public PGP key to encrypt your report.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGTs/UQBDADsnGWcpTQnAevP24TNS3SCnt4e6/vJR8w9OfrhT1gPQJ1qDLdc Aj8unN/DirHt77bB0KuB/bp5FpMDW6CvS8Hp6ZuE841JFUMnlJRuYAun4CZwYaH9 GWWtVYO9Ld1OwjDhHAEpboJyOOyjiCLgFoH+lUAa5vKPP6+rN+d9fpA2iUHCcPB0 KVwoH4+W84PQ+8TfHoCwXXOInyRcNEt0sn+0/lemtvwp31K3pC6y7aCDvFIzqLUI OEOaWgCm+RKjNApnA8GLqPfIPeQPllCRsW0mc9478jy7UudcgRz8n58QwnaYmFEJ vQjkPvwDRdIiJZvoSNSDY8q7yjPfe7x7RsILeL90IREJP/K1sWa9LeeCTRbNw13T I8qo5XaF6p3RMyT6meqdNCmDMiuvYQ6EhOCZHf4LnRujEgoeEk/J9nfNJ45Gh4Ea 8W4xQkwTBrvjB6D/ix0xCKy376GHwwk+N/qpCMIWv6vSLU+jogj1Hvi89h106mJE wlVa2T4nQYZe3b8AEQEAAbQwTWFyY28gUG9sbyBTZWN1cml0eSBUZWFtIDxzZWN1 cml0eUBtYXJjb3BvbG8ubWU+iQHXBBMBCABBFiEE+VqZtQyAy7HviSESdI0xCSpz lmgFAmTs/UQCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQ dI0xCSpzlmjW+gv+JUdMqeLsCACdzHH6UmudU5fE0SKvBD8WWZQXsXbR0vKvTVAc qKPBwZ6DFQo8XV8r4iyU8HwOAkBZ+e/NOB+mzUH9+mV6mi0dGdYio3LVyag1IO2i kdJblQWCWmaIXaFr1vGQKlTOe4KRJIaXT1w+j1OdOL3q4acR6Ekdvu+mEY5U/k9a IxflGJhbfQbeT/x8xl4cp1LVB/GIXubvTO/oN/oC1nhPbHW6wepkN71ySxncp9aB bIYoj2zR5MJTsV3Se05oH6njYt3mBN7PvPZGlelYAfpxFZAtNjjka5bAEuVNTuE7 wLJrYHlvHlkqDZnzTzSPDgIep8q0cII5AMllkOexHIJPb3vWrTnXeSpIbxHCOOi2 Y2oaQuH94ZFPiQrYCvCf1x7psFcYI21vRjVbJl+bOcpN9w9wRliwJBgVrLwHVbJe lpVYbjkE3k6yGu82heXmij39vNh4LHKXMEAh0S8w5nuP3E3AdITo5gtiumUU4Jts Uw0w5nEp4fyabhqVuQGNBGTs/UQBDADe3P6zx8Cut8dZX24mS/xUgqheSnL0RDmz GVirmNpPSQWYrGxsOwraehFS/FxfepNvwV5WLaaJyEdYXij029+ZGADksicdk1dM ZQjM42eBy7Er7GPwXnTlZu7HV70OF1vV1rt0EjElqYPmikhsDMto7zRyzcsIgJiF vfWTKXGhNJA6nRGseBcPpYLIFfb3mKiQOL5IszSqTeq+hcngomqhRX29mUJ+ZAmA 9nLX2R+M7gLu9174VJdhqSl5r/iGAcJmvCPfUHHCk97E9YRqe91u23m+gDFfiB0r Vo9VzKwsb6NDGiQ+zDR1Vc3BhaSWYJL4hlppOmfkax25l8EDKQ6pWiB+nuXhpTxG /Tv+3+t1DY1XdVrOZZ1Vr/ERu1MPDaE1Rn4w/vMzp4VT2Zmq2aOcZt8XULzwWDBG sTOOuI5GftKPtgrRz3Vuf90W80RkwoJP2LG6iMtLmxSC4y1FhjDcvZI2SnaabJPZ ZB8siOIcmH0OlcqJK0LrEKQOJLZ5JlMAEQEAAYkBvAQYAQgAJhYhBPlambUMgMux 74khEnSNMQkqc5ZoBQJk7P1EAhsMBQkFo5qAAAoJEHSNMQkqc5ZoExYL+wbdWgsN PFTl/9gd5+kDWLPalRWXdXMVzExOjTG9RlIYY9J7wHi+WMKR8RK3cHQbv4+j9oYX 1wayG/85k6JYL/747Wn/krD5GndS3u9AkMD8SD6C7p5RBQn0/GXzle+HfIN9gCb4 E62I+ax9eZohSPtcWZZwtppATKq5uF8TW5lTrn1i2QWnFCCU2w0eKbNNdZpzUvxa qnG+bppBJXNN4Jgz/7vmVtWmqwbJQZ9dCrGZHGkqkSrWyaYBj6hfmgDoAI22BQsb Hwm0NwgX245LSeGm+nrmfpyHhtxLIF3ZjR989E0qGM01HfmYcYFGgbqa3W4MMmwF G7WX4rJVkRYFdzhWDpRGa+7Msk6j9j3ypvF8BzMu7QXDCiH8/P2xwQd2DPtCDH3c wvHIqmzgssj6UGBqeZ62MrKl0hxt8Reqpck2WyGVnYeRRFCxJh2PIPID6PNH0k24 xJzpt8biLw/sY8Az+yHzUee4ylSbytAt4T/L1Rkbe3tTyDNYsYBhGj+GJA== =6ogY

-----END PGP PUBLIC KEY BLOCK-----

Effective date: October 4, 2023.