Skip to content
Archive360 Named to Inc. 5000 List of America’s Fastest-Growing Private Companies Read More Here
Get a Demo Contact

Introduction

Archive360 is committed to the security of its customers, partners and employees.  As part of our ongoing efforts to provide the trust and security of our products and services, we encourage any stakeholders, researchers, or other interested parties to report potential vulnerabilities or security issues.

Once you disclose a potential issue, please allow us 3-days to review your submission, at which point we will contact you if requested.

Scope

This policy covers only Archive360 products. It specifically excludes any customer or partner managed environments, systems, networks, hardware, or devices. Archive360 does not consent to any testing on behalf of customers, without prior written approval by customer and Archive360. Please contact Archive360 at security@archive360.com for any questions related to scope of this disclosure policy.

To participate:

  • Be at least 18-years old
  • Must not be an employee of Archive360
  • May not be a resident of or make submissions from a country subject to US export sanctions or trade restrictions
  • Follow the procedures outlined below, not engage in proscribed activities, and submit your report subject to confidentiality requirements

Procedures and Activities

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Testing Methods

The following test methods are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
  • Testing against any customer or partner managed environments

Reporting a Vulnerability

To help us triage and prioritize submissions, we recommend that your reports:

  • Describe the location the vulnerability was discovered and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
  • Be in English, if possible.

Reports can be emailed to security@archive360.com Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 days.

Confidentiality

Any data you collect or obtain in connection with your activities under this Policy is considered Archive360 confidential information.   You may not use, disclose, or distribute any Confidential Information including information about your vulnerability report, without Archive360’s consent. Any unauthorized disclosure of Confidential Information will result in a ban from participating under this Policy, and you will be held liable for any direct or indirect damages Archive360 may incur because of the Confidential Information’s disclosure.

Compensation

Monetary compensation is not generally provided under this program, but Archive360 reserves its right to do so in its sole discretion.