Credence Resource Management

Responsible Vulnerability Disclosure

Credence Resource Management is committed to protecting the security of its systems and information. If you become aware of a suspected security vulnerability affecting any Credence public-facing website or information resource, please report it to security@credencerm.com.

This disclosure channel is provided solely for reporting potential vulnerabilities. It does not authorize any third party to conduct scanning, probing, penetration testing, exploitation, denial-of-service testing, or any other activity that may access data or degrade, disrupt, or interfere with Credence systems. Such activities are strictly prohibited unless expressly authorized by Credence in writing in advance.

Reports should be submitted responsibly and must not include confidential, personal, client, or other non-public data. Credence reserves all legal rights and remedies with respect to any unauthorized activity.

Report suspected vulnerabilities: security@credencerm.com

Responsible Vulnerability Disclosure Program

This policy provides a controlled process for receiving and internally reviewing suspected vulnerability reports without authorizing third-party security testing.

1. Purpose

Credence Resource Management (“Credence”) is committed to maintaining the security of its information systems and protecting the data of its clients, employees, and other stakeholders. This Responsible Vulnerability Disclosure Program provides a formal channel through which individuals may report suspected security vulnerabilities identified in relation to Credence’s public-facing websites and information resources.

This program is intended solely to facilitate the responsible reporting and internal review of potential security concerns. It is not a bug bounty program, penetration testing authorization, or invitation to conduct security testing against Credence systems.

2. Reporting a Potential Vulnerability

Any individual who becomes aware of a suspected security vulnerability affecting Credence’s public-facing websites or information resources may report it to security@credencerm.com.

Reports should include, where available:

  • A clear description of the suspected issue
  • The affected website, URL, or information resource
  • The date and time the issue was observed
  • Steps to reproduce the issue, if known
  • Screenshots or supporting evidence, provided only where doing so does not involve accessing, collecting, copying, or exposing confidential, personal, client, or other non-public data

Credence may request additional information where reasonably necessary to validate and investigate a report.

3. Prohibited Activities and No Authorization to Test

This program does not authorize any person or organization to conduct testing, scanning, probing, exploitation, or any other activity against Credence systems.

Unless Credence has provided prior express written authorization, third parties are strictly prohibited from engaging in any of the following activities:

  • Automated vulnerability scanning, port scanning, crawling, enumeration, fuzzing, or similar testing
  • Manual or automated penetration testing
  • Attempting to bypass authentication, authorization, or access controls
  • Exploiting or attempting to exploit any suspected vulnerability
  • Accessing, modifying, deleting, downloading, copying, transmitting, or exposing any data
  • Testing that may impair, degrade, interrupt, or disrupt the availability, performance, integrity, or operation of any Credence system
  • Denial-of-service or distributed denial-of-service testing
  • Social engineering, phishing, vishing, smishing, or physical security testing
  • Testing of any system, application, endpoint, infrastructure, network, cloud environment, or service beyond ordinary use of Credence’s public-facing websites and information resources in the manner intended for general visitors
  • Any activity involving systems or data belonging to Credence clients, employees, vendors, or other third parties
  • Any activity that violates applicable law, contractual obligations, or the rights of any person or entity

The existence of this program, the publication of this policy, or the submission of a report to Credence shall not be interpreted as consent, permission, authorization, license, waiver, or approval for any person to access, scan, test, probe, or otherwise interact with Credence systems beyond ordinary use of its public-facing websites and information resources in the manner intended for general visitors.

4. Responsible Reporting Expectations

Individuals submitting reports are expected to:

  • Act lawfully and in good faith
  • Submit reports only through the designated reporting channel
  • Avoid any activity that could harm Credence, its systems, its clients, or any other party
  • Refrain from publicly disclosing the suspected issue, associated details, or related communications unless and until Credence has provided written approval
  • Preserve the confidentiality of all information obtained or observed in connection with a report
  • Stop all activity immediately if they encounter or inadvertently access any non-public information, personal information, confidential information, or client data, and promptly notify Credence

5. Credence Review and Response

Upon receipt of a report, Credence may:

  • Acknowledge receipt of the report
  • Review the information provided
  • Determine whether the report is credible and requires further review
  • Conduct internal validation and remediation activities, where appropriate
  • Communicate with the reporter, at Credence’s discretion, regarding the status or outcome of the review

Credence reserves the right to determine, in its sole discretion, whether a reported matter constitutes a valid vulnerability, the level of severity, the appropriate remediation action, and whether any further communication is warranted.

6. Public Disclosure

No individual may publicly disclose, publish, share, or otherwise communicate information about a suspected or confirmed vulnerability affecting Credence systems without Credence’s prior written authorization.

This includes, without limitation:

  • Technical details
  • Proof-of-concept information
  • Screenshots
  • Exploit methods
  • Correspondence with Credence
  • Information about remediation status or timelines

Credence may, at its discretion, coordinate disclosure where it determines that doing so is appropriate.

7. No Compensation or Recognition Obligation

This program is not a bug bounty program. Submission of a report does not create any entitlement to:

  • Monetary compensation
  • Reward
  • Reimbursement
  • Public acknowledgment
  • Employment, contract, or business opportunity
  • Any other form of consideration

Credence may, at its sole discretion, acknowledge a reporter’s contribution, but has no obligation to do so.

Credence reserves all legal rights and remedies available under applicable law, contract, and policy.

Nothing in this program:

  • Grants any license, permission, or authorization to access, scan, test, probe, or interact with Credence systems
  • Waives any rights of Credence
  • Limits Credence’s ability to investigate, restrict, block, or take legal action in response to unauthorized activity
  • Creates any contractual obligation, partnership, agency, fiduciary duty, or other legal relationship between Credence and any reporter
  • Requires Credence to accept, investigate, remediate, or respond to any report in a particular manner or timeframe

Any activity outside the limited reporting process described in this policy may be treated as unauthorized and may be referred for appropriate legal, contractual, or law-enforcement action.

9. Policy Changes

Credence may modify, suspend, or withdraw this Responsible Vulnerability Disclosure Program at any time, without prior notice. The version published by Credence at the time of submission will govern the handling of the report.

© Credence Resource Management. This page is intended as a public-facing responsible vulnerability disclosure statement and policy.