The company has a mechanism (ex: a bug bounty program) through which security researchers can submit vulnerabilities they discover.
The product’s terms of use or other documentation available on the product website do not include any information about processes or mechanisms for disclosing found vulnerabilities to the company.
❌
The company discloses the timeframe in which it will review reports of vulnerabilities.
The product’s terms of use or other documentation available on the product website do not include any information about processes or mechanisms for disclosing found vulnerabilities, and do not include any information about timeframes for review.
❌
The company commits not to pursue legal action against security researchers.
The product’s terms of use specify limitations on the use of product software—including separating any individual component, and modifying, reverse engineering, decompiling, or disassembling—that describe common processes used by security researchers.
The product’s terms of use specify similar limitations for the use of the website or services, describing activities commonly used while conducting security research.
The company also reserves the right to involve law enforcement as appropriate for criminal acts it becomes aware of. Criminal law in some jurisdictions can also prohibit activities commonly conducted by legitimate security researchers.