Responsible Disclosure & Security Policy

1. Introduction

WasteVision LLC ("Company," "we," "us," "our") is committed to maintaining a secure cloud-based platform for AI-powered waste and recycling operational intelligence. We understand that security is a continuous process and appreciate the work of security researchers and ethical hackers who help identify and address vulnerabilities before they can be exploited maliciously. This Responsible Disclosure Policy establishes guidelines for reporting security vulnerabilities in our systems, services, and applications in a safe and constructive manner.

2. Scope

This policy applies to vulnerabilities discovered in the following systems and domains:

• WasteVision Platform (wastevision.ai) — Our primary web application and AI-powered analytics platform for waste management operations
• Cloud Portal (app.wastevision.ai) — Our cloud login and account management portal for customers and authorized users
• WasteVision API — Our RESTful application programming interface used by customers to integrate WasteVision data with their systems
• Associated infrastructure — Any systems, services, or subdomains directly operated and maintained by WasteVision LLC

Vulnerabilities in third-party services, libraries, or platforms that we use but do not operate (such as cloud hosting providers, payment processors, or open-source software) should be reported directly to the affected vendor according to their responsible disclosure policies.

3. How to Report a Vulnerability

If you discover a security vulnerability in any WasteVision system or service, please report it to our security team by sending an email to security@wastevision.ai. Do not publicly disclose the vulnerability, create a public issue in bug trackers, or discuss it on social media until we have had an opportunity to investigate and address it. Responsible reporters who follow this policy will be protected from legal liability and will receive recognition (if desired) for their contribution to our security.

For sensitive or urgent matters, please mark your email subject line as "[SECURITY]" to ensure immediate attention from our security team.

4. What to Include in Your Report

To help us quickly understand and address the vulnerability, please include the following information in your report:

• Clear Description: A detailed explanation of the vulnerability, including what it is, how it could be exploited, and what systems or data it affects
• Affected Component: The specific domain, service, API endpoint, or application component where the vulnerability exists
• Steps to Reproduce: Clear, step-by-step instructions that our security team can use to confirm the vulnerability in our test or staging environment
• Proof of Concept: If applicable, provide a simple proof of concept, screenshots, or code that demonstrates the vulnerability (without causing harm or accessing unauthorized data)
• Impact Assessment: An explanation of the potential impact if the vulnerability were exploited, including what data could be accessed, modified, or deleted, and who might be affected
• Severity Estimation: Your assessment of the vulnerability's severity (critical, high, medium, low) based on factors such as ease of exploitation, impact, and affected user base
• Contact Information: Your name, email address, phone number, and any affiliated organization or bug bounty platform (so we can contact you with updates and provide recognition if applicable)

5. Safe Harbor & Legal Protection

WasteVision LLC is committed to fostering a culture of security research and responsible disclosure. We will not pursue legal action against, prosecute, or initiate any legal claim against security researchers or ethical hackers who:

• Report vulnerabilities in good faith
• Avoid accessing, modifying, or deleting customer data or company information
• Respect the privacy and systems of other users
• Do not publicly disclose the vulnerability before we have had reasonable time to address it
• Cease testing immediately upon request and follow our remediation timeline
• Act in accordance with applicable laws and regulations

Researchers operating in good faith and following this policy will receive our commitment that we will work cooperatively and transparently to address the reported vulnerability. Your responsible actions help make WasteVision and the broader waste management industry more secure.

6. What We Ask of You

To maintain a productive and legally compliant responsible disclosure process, we ask that security researchers adhere to the following guidelines:

• Do Not Access Others' Data: Do not attempt to access, view, copy, or exfiltrate customer data, business information, personal information, API keys, credentials, or any other data beyond what is necessary to confirm the vulnerability
• Do Not Disrupt Services: Do not perform testing that could disrupt or degrade the availability, performance, or functionality of WasteVision systems for legitimate users, including denial-of-service (DoS) or stress testing
• Do Not Share Credentials: If you discover stored credentials or authentication tokens during testing, do not use them to access systems beyond the minimal scope necessary to report the vulnerability
• Maintain Confidentiality: Do not disclose the vulnerability to any third parties, including other researchers, social media, or bug tracking services, until we have provided written authorization or the vulnerability has been publicly disclosed by WasteVision
• Provide Reasonable Time: Allow us a reasonable amount of time to investigate, reproduce, and remediate the vulnerability before public disclosure (see Response Timeline below)
• Use Only Designated Systems: Conduct testing only on systems explicitly listed in the Scope section above; do not test against customer accounts or production data of other users

7. Response Timeline

WasteVision LLC is committed to responding promptly to security vulnerability reports. Here is our expected timeline:

• Initial Acknowledgment (48 hours): We will acknowledge receipt of your vulnerability report and provide you with a reference number for tracking purposes
• Initial Assessment (5 business days): Our security team will review your report, attempt to reproduce the vulnerability, and assess its validity and severity
• Progress Updates (As needed): For complex vulnerabilities, we will provide periodic updates on our investigation and remediation efforts
• Remediation Timeline (Severity-dependent):
  • Critical severity: Fix in development within 24 hours; deploy to production within 7 days
  • High severity: Fix in development within 3 days; deploy to production within 14 days
  • Medium severity: Fix in development within 7 days; deploy to production within 30 days
  • Low severity: Address in the next scheduled release (typically within 60 days)
• Final Notification: Once a vulnerability has been patched and deployed to production, we will notify you and coordinate on any public disclosure

These timelines are estimates and may vary based on the complexity of the vulnerability and our development cycle. In all cases, we will work diligently to address security issues and keep you informed of our progress.

8. Recognition of Researchers

WasteVision LLC is grateful for the work of security researchers who responsibly disclose vulnerabilities. With your permission, we would like to publicly acknowledge and thank researchers who contribute to our security. We may recognize contributions through:

• Our Security Researchers page on our website
• A brief mention in our security release notes
• Social media acknowledgment
• Our security advisory emails

Public recognition is entirely optional. If you prefer to remain anonymous or would like your name used in a specific way, please let us know in your initial report or during our follow-up communication.

9. Out of Scope

The following categories of testing and issues are explicitly out of scope for this responsible disclosure policy and should not be reported under this program:

• Social Engineering: Phishing emails, pretexting, physical security testing, or attempts to manipulate employees into revealing sensitive information
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks: Any attempt to disrupt or degrade service availability, including stress testing, resource exhaustion, or network-based attacks
• Physical Security Issues: Physical access vulnerabilities at our offices, data centers, or facilities
• Spam or Unsolicited Communications: Email spam, SMS spam, or other mass communication vulnerabilities
• Attacks on Third-Party Systems: Vulnerabilities in systems we use but do not operate (cloud providers, payment processors, etc.)
• Issues Requiring Customer Action: Weak password policies or user error (though security improvement suggestions are welcome)
• Brute Force or Account Enumeration: Attempting to guess credentials or enumerate valid user accounts through repeated attempts

Testing activities in these categories may violate applicable laws and our terms of service. WasteVision reserves the right to pursue legal action against researchers conducting such activities without authorization.

10. Contact Information

For all security vulnerability reports and responsible disclosure inquiries, please contact:

• Email: security@wastevision.ai
• Subject Line: Please include "[SECURITY]" in the subject line of urgent reports

For general security inquiries or questions about this policy, you may also contact our main support team at info@wastevision.ai.

Thank you for helping us keep WasteVision and the waste management industry secure.