IQT Vulnerability Disclosure Policy

Last Updated: September 2021

Introduction

This policy is intended to give clear guidelines for conducting vulnerability discovery activities regarding In-Q-Tel, Inc. (IQT, we, or us) and how to submit potential vulnerabilities to us in a direct and responsible manner at disclosure@iqt.org.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Authorization

IQT reserves all legal rights in the event of noncompliance with this policy. IQT does not intend to pursue legal action against any party that conducts security research and discloses information to us in good faith and in compliance with this policy. IQT considers activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against a party who complied with this policy, the organization will take steps to make it known that the individual’s actions were conducted in compliance with the policy.

Research guidelines

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue, and refrain from publicly disclosing potential vulnerabilities without authorization from IQT (which we will seek to provide in a reasonable amount of time).

• Comply with all applicable laws.

• Respect the individual privacy and not obtain or disclose any private or confidential information.

• Make every effort to avoid degradation of user experience, disruption to production systems, and destruction, or manipulation of data.

• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.

• Do not submit a high volume of low-quality reports.

Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information (PII), financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately at disclosure@iqt.org, and not disclose the vulnerability(ies) or any data to anyone else.

Scope

IQT defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability, or confidentiality of our digital assets. This policy applies to websites, systems, and services accessible on the public Internet hosted at iqt.org or bnext.org, or on sites owned by In-Q-Tel, Inc., or its subsidiaries.

Any sites or service not expressly listed above, such as any connected services, cloud/SAAP services, or third-party services are excluded from scope and are not authorized for testing. Vulnerabilities found in systems belonging to third parties fall outside of this policy’s scope and should be reported directly to the third-party. If you are not sure whether a system is in scope or not, contact us at disclosure@iqt.org before starting your research.

Test methods

The following activities are explicitly out of scope of this policy.

• Publicly disclosing any potential vulnerability without the express written consent of IQT (which we will seek to provide in a reasonable amount of time).

• Compromising the integrity, availability, or confidentiality of non-public information obtained from us, or deleting or altering any of our information.

• Accessing, copying, using, or retaining any confidential, sensitive, or proprietary information or any personal data obtained from our systems or services.

• Failing to immediately delete/destroy any confidential, sensitive, or proprietary information or personal data/PII you may inadvertently access.

• Intentionally or negligently causing a denial-of-service condition for any user beyond the researcher or other tests that impair access to or damage a system or data.

• Exploitation of any vulnerability which sends bulk unsolicited or unauthorized messages (spam).

• Physical testing (e.g., office access, open doors, tailgating), physically connecting to a network or device within a facility operated by IQT, or social engineering (e.g., phishing, vishing) or any other non-technical vulnerability testing or other deceptive method.

• Brute force of credentials.

• Any security research performed by employees or contractors of IQT or its subsidiaries.

We require researchers to contact us before engaging in research that may be inconsistent with or unaddressed by this policy.

Reporting a vulnerability

If you believe you have discovered a potential security vulnerability or a circumstance that could reasonably impact the security of our company or our partners, we encourage you to disclose this to us.

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect users of a product or service more broadly than IQT, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without your permission.

We accept vulnerability reports at disclosure@iqt.org. Reports may be submitted anonymously. If you share contact information, we will seek to acknowledge receipt of your report within three business days. We do not support PGP-encrypted emails.

What we would like in your submissions

To help us triage and prioritize submissions, your report should:

• Describe the location the vulnerability was discovered and the potential impact of exploitation.

• Offer a detailed description of the steps needed to reproduce the vulnerability (proof-of-concept scripts or screenshots are helpful).

• Be written in English, if possible.

What you can expect from us in response

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within three business days, we will seek to acknowledge that your report has been received.

• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.

• We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent to disclosure@iqt.org. We also invite you to contact us with suggestions for improving this policy.