SECURITY PROGRAM

Responsible Disclosure Policy

We care deeply about the security of our infrastructure and data. If you believe you have found a security vulnerability, we encourage you to let us know.

Last Updated: March 2026

1. Safe Harbor (Legal Protection)

FORESTER CREDO LIMITED considers security research to be a valuable activity. If you conduct your research and report vulnerabilities in accordance with this policy, we consider your conduct to be "authorized" under the Computer Misuse Act 1990 (UK) and related laws.

Our Pledge:

We will not pursue legal action against you.
We will work with you to understand and resolve the issue quickly.
We will recognize your contribution in our Security Hall of Fame (if desired).

2. Program Scope

Please focus your testing only on the assets listed below.

Asset Type	Target	Description
Website	forester-credo.com	Main corporate website and subdomains.
API	api.forester-credo.com	Public API endpoints.
Client Portal	my.forester-credo.com	Customer dashboard (Test on your own account only).

3. Out of Scope (Strictly Prohibited)

The following activities are strictly prohibited and will result in a ban and potential legal action:

Denial of Service (DoS/DDoS): Stress testing our servers is forbidden.
Social Engineering: Phishing employees or support staff.
Physical Security: Attacks against our offices or data centers.
Destructive Testing: Any action that could delete or corrupt real customer data.

4. How to Submit a Report

Please send your findings to security@forester-credo.com.

Report Format Requirements:

Description: A clear summary of the vulnerability.
Reproduction: Step-by-step instructions or a PoC script (curl/python).
Impact: What could an attacker do with this bug? (e.g., steal data, gain admin access).

For sensitive information, please encrypt your email using our PGP Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.1
Comment: https://forester-credo.com/security

xsBNBF/ ... (This is a placeholder for the actual key) ...
... PLEASE DO NOT SPAM THIS KEY ...
-----END PGP PUBLIC KEY BLOCK-----

5. Response Timeline

We are committed to being responsive:

Acknowledgment: Within 48 hours.
Triage & Validation: Within 5 business days.
Resolution: Critical issues are patched within 24 hours; others within 30 days.

6. Rewards & Hall of Fame

While we do not currently offer a public cash bounty program, we may offer discretionary rewards (swag, credit, or cash) for critical vulnerabilities.

Researchers who submit valid reports will be listed in our Security Hall of Fame (with your permission).