Responsible Disclosure Policy

Last updated: December 16, 2025

This policy covers responsible security and vulnerability reporting for TrialTrack and VendorVigilance (the "Services").

Introduction

Mayet welcomes feedback from security researchers and the general public to help improve security. This policy outlines steps for reporting vulnerabilities, our expectations, and what researchers can expect from us.

Systems in scope

This policy applies to any digital assets owned, operated, or maintained by Mayet.

Out of scope

  • Assets or equipment not owned by participating parties

Vulnerabilities in out-of-scope systems should be reported to appropriate vendors or authorities.

Our commitments

We pledge to:

  • Respond promptly and work to understand and validate reports
  • Keep researchers informed about vulnerability processing progress
  • Remediate discovered vulnerabilities in a timely manner within operational constraints
  • Extend Safe Harbor for vulnerability research complying with this policy

Our expectations

Researchers must:

  • Follow this policy and relevant agreements
  • Report vulnerabilities promptly
  • Avoid privacy violations, system disruption, data destruction, or user experience harm
  • Use Official Channels exclusively for vulnerability discussions
  • Allow minimum 90 days before public disclosure
  • Test only in-scope systems
  • Limit data access to minimum necessary for Proof of Concept
  • Cease testing immediately upon encountering PII, PHI, credit card data, or proprietary information
  • Only interact with owned test accounts or with explicit permission
  • Refrain from extortion

Exclusions

Researchers should avoid:

  • Denial of service actions
  • Interacting with accounts without ownership or explicit permission
  • Testing contact and support forms

Definition of a vulnerability

A security vulnerability is a weakness in one of our products or infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability.

Not classified as vulnerabilities:

  • HTTP header presence/absence (X-Frame-Options, CSP, nosniff)
  • Missing security attributes on non-sensitive cookies
  • Theoretical issues without realistic exploit scenarios
  • Domain setting issues (SPF, DKIM)
  • Clickjacking reports against unauthenticated pages or static content

Safe Harbor

Research complying with this policy is:

  • Authorized under applicable anti-hacking laws
  • Authorized under anti-circumvention laws
  • Exempt from Terms of Service/Acceptable Usage Policy restrictions
  • Conducted lawfully and in good faith

We will not initiate legal action for accidental good-faith violations and will inform third parties of compliance if legal action occurs.

Safe Harbor applies only to legal claims under our control and does not bind independent third parties.

Contact

For vulnerability reports, please contact us through our official channels with comprehensive information.