Responsible Disclosure Policy

RECUR360/R360 is providing this service to help ensure a safe and secure environment for all users. If external parties find any sensitive information, potential vulnerabilities, or weaknesses, please help by responsibly disclosing it to ResponsibleDisclosure@fullsteam.com.

This policy applies to RECUR360/R360 hosted applications and any other subdomains or services associated with products. RECUR360/R360 does not accept reports for vulnerabilities that solely affect marketing websites, containing no sensitive data.

Security researchers must not:

• Engage in physical testing of facilities or resources.
• Engage in social engineering.
• Send unsolicited electronic mail to RECUR360/R360 users, including “phishing” messages.
• Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks.
• Introduce malicious software.
• Execute automated scans or tools that could disrupt services, such as password guessing attacks.
• Test in a manner which could degrade the operation of RECUR360/R360 systems or intentionally impair, disrupt, or disable RECUR360/R360 systems.
• Test third-party applications, websites, or services that integrate with or link to or from RECUR360/R360 systems.
• Delete, alter, share, retain, or destroy RECUR360/R360 data, or render RECUR360/R360 data inaccessible.
• Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on RECUR360/R360 systems, or “pivot” to other RECUR360/R360 systems.

Security researchers may:

• View or store RECUR360/R360 nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

Security researchers must:

• Cease testing and notify us immediately upon discovery of a vulnerability.
• Cease testing and notify us immediately upon discovery of an exposure of nonpublic data.
• Purge any stored RECUR360/R360 nonpublic data upon reporting a vulnerability.

Thank you for helping to keep RECUR360/R360 and our users safe!