Responsible Vulnerability Disclosure Policy

1. Purpose

At Duvane Building Specialties, we are committed to ensuring the security and integrity of our systems, applications, and data. We recognize the importance of the security research community in helping us identify and address potential vulnerabilities. This Responsible Vulnerability Disclosure Policy outlines how to report security vulnerabilities to us and our commitment to working collaboratively with researchers in a transparent and responsible manner.

​

2. Scope

This policy applies to all public-facing systems, applications, and services owned or operated by Duvane Building Specialties, including but not limited to:

​

• Websites (e.g., duvaneinc.com)

• Mobile applications

• APIs and web services

• Cloud-based services

• Other publicly accessible infrastructure

​

Out-of-scope systems include third-party services not directly managed by Duvane Building Specialties. Please refer to the respective third-party provider’s vulnerability disclosure program.

​

3. Guidelines for Responsible Disclosure

We encourage security researchers to follow these guidelines when identifying and reporting vulnerabilities:

​

• Act in Good Faith: Conduct research responsibly, avoiding any actions that could harm our systems, users, or data.

• Respect Privacy: Do not access, modify, or disclose any personal or sensitive data encountered during testing.

• Minimize Impact: Use non-disruptive methods to identify vulnerabilities. Avoid actions that could degrade service performance or availability.

• Do Not Exploit: Refrain from exploiting vulnerabilities beyond what is necessary to demonstrate their existence.

• Comply with Laws: Ensure all activities comply with applicable local, national, and international laws.

​

4. How to Report a Vulnerability

To report a security vulnerability, please submit the following details to duvanebuildingspecialties@gmail.com:

​

• A detailed description of the vulnerability, including the affected system or application.

• Steps to reproduce the issue or a proof-of-concept (PoC).

• The potential impact of the vulnerability (e.g., data exposure, unauthorized access).

• Your contact information for follow-up communication.

• Any additional relevant information (e.g., screenshots, logs).

We prefer reports to be submitted in English, but we will make reasonable efforts to accommodate other languages.

​

5. What to Expect

​

• Acknowledgment: We will acknowledge receipt of your report within 3 business days.

• Triage and Validation: Our security team will triage and validate the reported vulnerability within 10 business days. We may contact you for additional details.

• Resolution: We will work to remediate verified vulnerabilities promptly and keep you informed of our progress.

• Disclosure: We aim to resolve vulnerabilities within 90 days of validation. We will coordinate with you on public disclosure, if applicable, after remediation.

​

6. Safe Harbor

We will not pursue legal action against individuals who:

​

• Adhere to this policy and act in good faith.

• Do not cause harm to our systems, users, or data.

• Do not publicly disclose vulnerabilities without our prior consent.

We consider responsible vulnerability research to be a valuable contribution to our security posture and will work to protect researchers who follow this policy.

​

7. Recognition

While we do not offer monetary rewards, we may recognize researchers who report valid vulnerabilities by:

​

• Acknowledging your contribution in our Security Hall of Fame (with your consent).

• Providing a public thank-you via our blog or social media (with your consent).

​

8. Exclusions

The following activities are strictly prohibited and are not covered under this policy:

​

• Performing denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.

• Accessing, modifying, or destroying user data.

• Social engineering attacks (e.g., phishing, pretexting) against our employees or customers.

• Physical attacks or attempts to access our facilities.

• Automated scanning or testing that generates excessive traffic or disrupts services.

Engaging in these activities may result in legal action or exclusion from our responsible disclosure program.

​

9. Contact

For questions about this policy or to submit a vulnerability report, please contact us at duvanebuildingspecialties@gmail.com.

​

10. Policy Updates

This policy may be updated periodically to reflect changes in our practices or legal requirements. The latest version will always be available at duvaneinc.com.

​​​​​

​

Last Updated: May 09, 2025

​

We appreciate your efforts in helping us keep our systems secure. Thank you for contributing to a safer digital environment.