Security & Responsible Disclosure Policy

Version 1.0

This Security & Responsible Disclosure Policy ("Policy") governs the reporting of security vulnerabilities to 813 Management, LLC, a Utah limited liability company ("813 Management," "we," "our," or "us"), relating to PulseCRM, PulseAPI, and associated systems and services.

This Policy does not constitute authorization to conduct security testing. Compliance with this Policy is required for any consideration of safe harbor protections.

1Scope

1.1 Covered Systems

This Policy applies to security vulnerabilities discovered in:

  • PulseCRM production systems and applications
  • PulseAPI endpoints and services
  • Associated web properties owned by 813 Management

1.2 Excluded Systems

This Policy does not cover:

  • Third-party services, vendors, or integrations
  • Physical security or social engineering
  • Customer or user systems
  • Any system not explicitly owned and operated by 813 Management

2Disclosure Requirements

2.1 Private Disclosure Channel

All security vulnerability reports must be submitted privately through the designated security contact channel. Contact information for security disclosures is available through our official website at pulsecrm.com/contact with "Security Disclosure" in the subject line.

Do not submit vulnerabilities through public channels, issue trackers, forums, or social media.

2.2 Required Information

Vulnerability reports should include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Affected systems, endpoints, or components
  • Potential impact assessment
  • Any supporting evidence (logs, screenshots, proof of concept)
  • Your contact information for follow-up

3Prohibited Conduct

The Following Activities Are Strictly Prohibited

  • Public Disclosure: Disclosing any vulnerability information publicly, including on social media, blogs, forums, conferences, or any other public channel, without prior written authorization from 813 Management
  • Social Media Disclosure: Posting, referencing, or hinting at vulnerabilities on any social media platform, including but not limited to Twitter/X, LinkedIn, Reddit, Mastodon, or similar services
  • Automated Scanning: Conducting automated vulnerability scanning, penetration testing, or security assessments without prior written authorization
  • Data Access: Accessing, downloading, copying, modifying, or deleting data belonging to 813 Management or its customers
  • Service Disruption: Performing any actions that could disrupt, degrade, or deny service to 813 Management systems or users
  • Exploitation: Exploiting vulnerabilities beyond the minimum necessary to demonstrate the issue
  • Third-Party Disclosure: Sharing vulnerability information with any third party without authorization
  • Extortion: Demanding payment, compensation, or other consideration in exchange for vulnerability information or non-disclosure

4No Bounty or Compensation Obligation

813 Management does not operate a bug bounty program and is under no obligation to provide:

  • Monetary compensation or rewards
  • Public acknowledgment or credit
  • Merchandise, swag, or other items
  • Any other form of compensation

Submission of a vulnerability report does not create any expectation of compensation or establish any contractual relationship.

5Conditional Safe Harbor

5.1 Conditions for Safe Harbor

813 Management will consider refraining from legal action against security researchers who:

  • Strictly comply with all provisions of this Policy
  • Act in good faith to avoid harm to 813 Management and its users
  • Do not access, modify, or exfiltrate any data
  • Report vulnerabilities promptly through the designated channel
  • Maintain strict confidentiality until authorized by 813 Management
  • Do not engage in any prohibited conduct

5.2 Safe Harbor Limitations

Safe harbor consideration is:

  • Entirely discretionary and determined by 813 Management on a case-by-case basis
  • Not a guarantee, promise, or commitment
  • Subject to revocation at any time
  • Not applicable if any Policy provision is violated
  • Not binding on law enforcement or regulatory authorities

6Reservation of Enforcement Rights

813 Management expressly reserves all rights to:

  • Pursue civil litigation for unauthorized access, data breaches, or Policy violations
  • Report suspected criminal activity to law enforcement authorities
  • Seek injunctive relief without the requirement of posting bond
  • Recover attorneys' fees, costs, and damages
  • Terminate any access, accounts, or business relationships

This Policy does not waive any legal rights or remedies available to 813 Management.

7Response Process

813 Management will endeavor to:

  • Acknowledge receipt of valid reports in a reasonable timeframe
  • Investigate reported vulnerabilities
  • Take appropriate remediation steps for confirmed vulnerabilities

However, 813 Management makes no guarantees regarding response times, actions taken, or communications provided. We are under no obligation to share investigation findings, remediation timelines, or any other information with reporters.

8Confidentiality Requirements

All vulnerability information must be treated as confidential. Reporters must:

  • Not disclose any details to any third party
  • Not publish or present any information about vulnerabilities
  • Securely delete all vulnerability-related data upon request
  • Maintain confidentiality indefinitely unless explicitly authorized in writing by 813 Management

9Governing Law

This Policy shall be governed by and construed in accordance with the laws of the State of Utah, without regard to its conflict-of-laws principles. You consent to exclusive jurisdiction and venue in the state and federal courts located in Salt Lake County, Utah.

End of Policy

Security & Responsible Disclosure Policy v1.0