Vulnerability Disclosure Policy

We at Goodmeetings are committed to strengthening the security of our platform and services thus welcoming security researchers to disclose any vulnerabilities found directly to us.

This policy describes how Goodmeetings works with the security community in the context of finding and responsibly reporting security vulnerabilities. Reading this policy prior to reporting any security vulnerability is mandatory as it clearly describes what is not allowed, what is allowed and how these vulnerabilities can be reported responsibly.

We encourage you to contact us to report potential vulnerabilities in our systems. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorised. We will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Failing to follow this policy will reduce the chance of a response to your vulnerability report and the chance of an honourable mention, in case it is applicable.

Guidelines

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to not disrupt Goodmeetings’ systems or services, degrade user experience, modify or destroy data, or violate privacy of Goodmeetings’ users or employees.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. This too should be done without using high-intensity invasive, automatic or destructive scanning / exploit tools.
• Do not submit a high volume of low-quality reports.
• Provide us a reasonable amount of time to resolve a properly notified issue before you disclose it publicly.
• Do not demand financial compensation to report vulnerability and threaten to withhold or release vulnerabilities to the public. Once you’ve established that a vulnerability exists or you’ve encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
• Do not send any unsolicited messages to any Goodmeetings’ users.
• Do not use an exploit to establish command line access or establish a persistent presence on Goodmeetings’ systems.
• Do not test third-party applications, websites, or services that integrate with Goodmeetings or any other out-of-scope vulnerabilities.

Test Methods

The following test methods are not authorised:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing, use of malware, spam), or any other non-technical vulnerability testing.

In order to protect our customers and services, we ask security researchers to securely delete any data retrieved during research as soon as the data is no longer required or within a month of the vulnerability being resolved, whichever occurs first.

Scope

This policy applies to the following systems and services:

*.goodmeetings.ai, excluding the following third-party hosted domains: -blog.goodmeetings.ai

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorised for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at hello@goodmeetings.ai.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Reporting

If you believe you’ve discovered a security vulnerability in one of our services, please email us at hello@goodmeetings.ai.

In order to help us assess and prioritise submissions, we recommend that your reports should contain:

• Detailed description of the discovered vulnerability, its potential impact, and the location, date & time of this discovery
• Detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts, sample code, supporting screenshots, or recordings would be helpful) (preferably communicated in English)

We will confirm the receipt of such a report within 10 business days. We commit to investigate and verify the presence of the vulnerability, address it and develop a fix within reasonable time, and notify in case of any challenges or delays faced for resolution. If and when you choose to submit your contact information with us, we shall maintain utmost confidentiality and shall not disclose your details without permission. If you desire, we are open to maintaining an open dialogue with you to work on resolving the vulnerabilities.

Goodmeetings reserves the right to modify the terms and conditions of this policy. By reporting a security vulnerability to Goodmeetings on or after that effective date, you agree to the then-current Terms.

Questions regarding this policy may be sent to hello@goodmeetings.ai We also invite you to contact us with suggestions for improving this policy.

Last modified on 25th June, 2022