Vulnerability and Critical Bug Reporting Policy

Last Updated: April 16, 2024

Point-Form/Plain-Language Summary

The following is a point-form plain language summary of these terms but are for your convenience ONLY and should be considered in concert with the full terms below:

  • Do not exploit vulnerabilities or critical bugs for any reason (per the Bridgeman Accessible Terms of Service).
  • Report vulnerabilities and critical bugs to Bridgeman Accessible as immediately as possible.
  • Refrain from disclosing vulnerabilities or critical bugs to the public or any third party until Bridgeman Accessible has had a reasonable time to address the issue.
  • Upon submissions in full, expect to receive some form of communication from Bridgeman Accessible within a reasonable time frame.
  • Expect to be credited, if desired, for your submission if it is accepted and acted upon by Bridgeman Accessible.

Table of Contents

  1. Purpose and Scope
  2. How to Report Issues
  3. What Happens After a Report?
  4. Confidentiality and Anonymity
  5. Rewards and Recognition
  6. Policy Updates
  7. Contact Information

Purpose and Scope

The purpose of this policy is to outline the process for reporting security vulnerabilities and critical bugs in Bridgeman Accessible systems and services. We take these issues very seriously and while we try our best to prevent them, we recognize that, particularly given our relatively limited capacity, issues may still occur. Consequently, we rely on our users and the internet community at large to help us identify and address any missed issues and ask that people do so in a constructive, cooperative and responsible manner.

This policy applies to all Bridgeman Accessible systems, services, platforms, and dependencies. Including but not limited to: Bridgeman Accessible's public-facing services (ex. Accessible Events Platform, Accounts Dashboard, etc.), internal infrastructure and systems, as well as cloud and third-party infrastructure and dependencies (ex. databases and data stores, etc.).

Critical vulnerabilities or bugs are those that could lead to unauthorized access or disclosure, data breaches, or service disruptions of any kind.

How to Report Issues

If you believe you have identified a security vulnerability or critical bug in Bridgeman Accessible systems or services, please report it to us immediately. You may report the issue by sending an email to info@bridgemanaccessible.ca

Within your report, please include the following information:

  • A detailed description of the issue, including the potential impact.
  • Any steps to reproduce the issue.
  • Any information concerning how you discovered the issue.
  • Your contact information for follow-up communications.

While we understand that email may not be the ideal communication method for all, at the current time it is the only method we have available for receiving reports. We hope to develop further reporting mechanisms in the future and apologize for any inconvenience in the meantime.

We ask that any reporting party refrain from disclosing the issue to the public or any third party until Bridgeman Accessible has had a reasonable time to address the issue (at least 2 business days to review the submission).

What Happens After a Report?

Upon receiving a report, we will review the report and if found to be complete and legitimate, we will contact the submitter and acknowledge receipt of the report (this may take up to 2 business days). Once acknowledged, a plan to assess and address the issue will be developed and put into action as soon as appropriate (which in a majority of cases will be as soon as possible).

We will, to the best of our ability, endeavor to inform affected individuals, organizations and/or notify appropriate authorities in a timely manner if the issue is found to be of a serious enough nature. The seriousness of the issue will largely be deemed by applicable laws, regulations, industry standards, and best practices.

Confidentiality and Anonymity

Upon request, and to the best of our ability, we will endeavor to keep the identity of the reporting party confidential.

Rewards and Recognition

While we do not have the means or capacity for a formal bug bounty program at this time. We will work with submitters to find ways to recognize the importance of the work that goes into identifying and reporting security vulnerabilities and critical bugs.

Policy Updates

This policy may be revised from time to time and may be done so with no notice and at the sole discretion of Bridgeman Accessible. Any changes will be posted here and will take effect immediately upon posting.

Contact Information

If you have any questions pertaining to this policy please contact us by email at info@bridgemanaccessible.ca.