Recap Security Vulnerability Reporting Policy

Recap Security Vulnerability Reporting Policy
Recap Innovations welcomes responsible security researchers to report vulnerabilities in our systems. We aim to maintain a positive and transparent relationship with the security research community.
Robust Security: SOC 2 Type 2 Monitoring and Cloud Application Security Assessment (CASA) Tier II certification in progress. Organizations with a legitimate interest (existing and potential customers) may request access.
Scope of Policy
Included
This policy applies to security researchers who have identified potential vulnerabilities in Recap Innovations' systems, services, or products. It covers all systems, networks, applications, and platforms owned or operated by Recap Innovations, including web applications, mobile apps, APIs and backend services, cloud infrastructure, and internal tools and systems.
Excluded
This policy does not cover social engineering attacks, physical security vulnerabilities, or Denial of Service (DoS) or Distributed Denial of Service (DDoS) vulnerabilities.
Reporting Vulnerabilities
1
Initial Contact
Security issues should be reported via security@​recap-innovations.com or through our vulnerability reporting platform. Include a detailed description, steps to reproduce the issue, affected systems or services, severity or risk level, and any relevant screenshots, logs, or proof of concept (PoC) demonstrations.
Please do not exploit the vulnerability or make it public without explicit permission from the Recap Innovations security team.
2
Acknowledgment
Within three business days, we will acknowledge receipt and begin an assessment. We may contact the researcher to request further details or clarification.
3
Triage & Verification
  Our security team will evaluate the submitted vulnerability for:
 Validity: Confirming that the vulnerability exists and can be exploited.
Severity: Assessing the potential impact, including risk to users, systems, data, and business operations.
Reproducibility: Ensuring the vulnerability can be reliably reproduced.
 If additional information is needed, we will work with the researcher to resolve any uncertainties.
4
Remediation Process
Once a vulnerability is verified, our development team will begin working on a fix or mitigation. We will provide an estimated timeline and keep the researcher updated on progress. If the fix requires significant development or testing, we may provide interim updates.
5
Disclosure & Coordination
We commit to working with the researcher to responsibly disclose vulnerabilities to affected users, partners, or stakeholders, as appropriate.
 Once a vulnerability has been resolved, we may issue a public security advisory or release a blog post detailing the issue and remediation, crediting the researcher. This will be done in coordination with the researcher to ensure their work is acknowledged.
 If the vulnerability is a critical issue, we aim to release a patch within 30 days. The researcher agrees to hold off on public disclosure until the vulnerability is resolved or a patch is available.
Security Researcher Expectations
Ethical Conduct
Researchers must follow ethical guidelines, avoiding harm to users, systems, or services. Unauthorized access to user data or systems is prohibited. Researchers should avoid any actions that could compromise the integrity of the platform or user privacy.
No Public Disclosure Before Resolution
Researchers are expected to refrain from publicly disclosing the vulnerability before it is resolved or a fix is made available, unless there is an imminent risk to users or the vulnerability is not addressed in a reasonable time frame.
Confidentiality
Vulnerability details should be shared only through the agreed reporting channels. Researchers must ensure that information is kept confidential until an official statement is issued by Recap Innovations.
Safe Testing
Researchers should only test vulnerabilities in controlled environments that do not disrupt service availability or degrade the user experience. Automated testing tools should be used responsibly to avoid service disruptions or negative impacts on system performance.
Rewards & Recognition
Bug Bounty Program
Recap Innovations does not currently provide a reward program for valid, high-impact vulnerabilities reported. If implemented, and at the discretion of Recap Innovations for high-quality reports, non-cash rewards such as company swag or credits may be given.
Public Recognition
Researchers who responsibly disclose vulnerabilities may receive public recognition in the form of a "Security Researcher Hall of Fame" or acknowledgment in public security advisories.
No Retaliation
Researchers will not be subject to any legal or organizational retaliation for responsibly disclosing security vulnerabilities as per this policy. We commit to working collaboratively and professionally with the security research community.
Recap Security Team Responsibilities
Review and Response
The Recap Innovations security team is responsible for triaging and responding to all vulnerability reports within a timely manner, ensuring that high-severity issues are prioritized. The security team will provide feedback and updates to the researcher throughout the remediation process.
Vulnerability Fix & Mitigation
The security team will ensure that a fix is developed and deployed within an agreed-upon timeline. For critical vulnerabilities, the security team will prioritize fixes and keep the researcher informed of the status.
Record-Keeping and Transparency
Maintain a secure and detailed record of all reported vulnerabilities, fixes, and resolutions for future reference and auditing purposes. Share high-level summaries of vulnerability trends and improvements in the annual security report or via public communications.
Legal Considerations
1
Good Faith Reporting
Researchers should act in good faith, and Recap Innovations commits to not taking legal action against researchers acting responsibly in accordance with this policy.
2
No Unauthorized Access
Unauthorized access to user data or systems beyond what is necessary for vulnerability testing is prohibited. Researchers must avoid exploiting or amplifying vulnerabilities beyond what is needed to demonstrate them.
Contacting Recap
To report security vulnerabilities, please email security@​recap-innovations.com.
Recap Security Vulnerability Reporting Policy: Conclusion
We greatly value the role that security researchers play in improving our security posture. This policy aims to foster a collaborative environment where vulnerabilities are reported and mitigated responsibly. By following this structured approach, we ensure that security vulnerabilities are addressed promptly and effectively, enhancing the overall security of Recap Innovations and maintaining the trust of our users and customers.
Copyright 2024-2025 GriffinScribe LLC D.B.A. Recap Innovations, LLC - All Rights Reserved 
Help   Privacy Policy   Terms and Conditions   Accessibility   Security 