If you believe that you have discovered a potential security vulnerability or bug within any of Pearl Certification’s publicly available digital platforms or technology, we would like for you to let us know as soon as possible by emailing us at [email protected]. We will not take legal action against you or suspend or terminate your access to any Pearl Certification services, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Program. Pearl reserves all of its legal rights in the event of any noncompliance.

Our team will review the disclosed information and take appropriate action to mitigate the findings.

Vulnerability Reporting

Please let us know about any found vulnerabilities as quickly as possible. The report to [email protected] should be as detailed as possible, at a minimum including enough information for us to validate and reproduce the issue. Specific information requested includes:

    • The digital asset/site/product affected. Please be as specific as possible; include the specific URL, including path and port information.
    • A detailed description of the vulnerability
    • A description of the risks posed by the vulnerability including the likely attack scenario
    • Steps taken and tools used to discover the vulnerability
    • Remediation, or other mitigation instructions on how to remedy the vulnerability

    Responsible Disclosure

    Consistent with Responsible Disclosure, please ensure the following:

      • Do not publicly disclose the details of any potential security vulnerabilities without written consent from Pearl Certification, and even then, not until the vulnerability has been remediated.
      • Avoid malicious, illegal, or illicit behavior in identifying and reporting security vulnerabilities.
      • If you discover any personally identifiable information (PII) while exploring a suspected vulnerability, cease your investigation and immediately report the vulnerability that made such information available. Do not retain any PII discovered.
      • Avoid activities that negatively impact the availability or integrity of Pearl Certification, its customers, infrastructure, or data.

      Rewards

      Pearl Certification recognizes that responsible disclosure helps keep Pearl and its users and customers safe. As a small business with very limited sensitive data, Pearl has not allocated a budget for responsible disclosure bounties. Pearl does appreciate responsible disclosure and will be willing to provide public acknowledgement and recognition. In extraordinary circumstances, Pearl may find a way to offer a bounty, but such awards require adherence to this policy, will only be offered to the first person to submit the issue, and will be based on factors including the severity of the vulnerability, the ease of exploit, and the quality of the report.