 Responsible Vulnerability Disclosure Policy
1. Introduction
Selective Site Consultants is committed to ensuring the security and privacy of our systems and our users. We value the input of security researchers and the broader community in helping us maintain a high standard of security.
This policy is intended to provide security researchers with clear guidelines for conducting vulnerability discovery activities and to outline how to submit discovered vulnerabilities to us.
If you make a good faith effort to comply with this policy, we commit to working with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.
2. Authorization and Guidelines (Safe Harbor)
2.1 Authorized Research
If your security research activities are conducted in accordance with this policy, we will consider them authorized. This is our commitment to a "Safe Harbor" for security research. We commit to:
-	Not pursue or recommend criminal or civil legal action against you for accessing systems within the defined scope.
-	Make this authorization known should legal action be initiated by a third party against you for activities conducted in accordance with this policy.
2.2 Security Research Guidelines
Researchers must adhere to the following guidelines:
1.	Stop Testing Immediately: If you encounter any sensitive, non-public data (including personally identifiable information, financial information, or proprietary information), you must stop your test immediately, notify us, and not disclose or store this data.
2.	Avoid Privacy Violations: Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
3.	No Exfiltration or Exploitation: Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or use the exploit to pivot to other systems.
4.	No Financial Gain: Do not demand payment or rewards for reporting vulnerabilities outside of an established, formal bug bounty program (if one exists).
2.3 Prohibited Activities (Out of Scope)
The following activities are strictly prohibited and are outside the scope of this policy:
-	Network denial of service (DoS or DDoS) tests.
-	Physical testing (e.g., office access, tailgating).
-	Social engineering (e.g., phishing, vishing) of our employees or contractors.
-	Testing on third-party products or services unless explicitly listed in the scope.
-	Attempting to use, share, redistribute, or fail to properly secure data retrieved during research.
-	High-intensity invasive or destructive scanning tools.
-	Testing that violates any applicable law or regulation.
3. Scope: Systems and Services
This policy applies to the following systems and services owned, operated, and maintained by Selective Site Consultants
Asset Type	Systems/Domains
Primary Website	Ssc.us.com
Exclusions (Out of Scope)	Any third-party hosted service or product.
If you have concerns about a system not listed here, please contact us first to discuss it.
4. Reporting a Vulnerability
Please submit your vulnerability report as soon as possible via our official channel:
-	Email: security@ssc.us.com
4.1 Recommended Report Information
To help us triage and prioritize your submission, please include as much of the following information as possible:
1.	Title: A concise summary of the vulnerability (e.g., "Reflected XSS on Login Page").
2.	Asset/Location: The specific URL, IP address, or application version affected.
3.	Vulnerability Type: The type of vulnerability (e.g., XSS, SQLi, Broken Access Control).
4.	Steps to Reproduce (CRITICAL): A detailed, non-destructive, step-by-step description and/or proof-of-concept (PoC) code to reproduce the issue. Screenshots or video are welcome.
5.	Impact: The potential risk or impact of the vulnerability.
6.	Your Contact Information (Optional): If you wish to receive updates or credit.
5. What You Can Expect From Us
We commit to a transparent and collaborative process with security researchers who comply with this policy.
-	Acknowledgement: We will acknowledge receipt of your report within 7 business days (e.g., 3 business days).
-	Triage and Status: We will provide an initial status update and aim to triage the report within 14 business days (e.g., 10 business days).
-	Communication: We will maintain an open dialogue with you, keeping you informed of our progress as we work to resolve the vulnerability. We may request additional information needed for remediation.
-	Remediation: Vulnerability remediation is prioritized based on impact, severity, and complexity. We will let you know when the issue is fixed.
-	Public Disclosure & Credit: Once the vulnerability is remediated, we will gladly provide public credit to the reporter, with their permission, in our security advisories or other public platforms.
6. Coordinated/Responsible Disclosure
We request that you adhere to the following timeline for disclosure:
1.	Private Period: You agree to refrain from sharing information about the discovered vulnerability publicly for 90 calendar days after receiving our acknowledgement of receipt, or until the vulnerability is resolved, whichever comes first.
2.	Early Disclosure: We may grant permission for earlier disclosure if the issue is resolved sooner.
3.	Delayed Disclosure: We may request a brief extension if the issue is high-severity and a fix is imminent.
We believe that coordinated disclosure protects users while providing an appropriate timeline for public recognition.
________________________________________
7. Questions
If you have any questions about this policy, please contact us at security@ssc.us.com.
________________________________________