DO SUPPLY, LLC VULNERABILITY DISCLOSURE POLICY ================================================================= === PURPOSE ================================================================= We are committed to maintaining the security of our systems and protecting customer data. This policy describes how to responsibly find and report security vulnerabilities to our team. ================================================================= === SCOPE ================================================================= This policy applies to all publicly accessible services under the following hostnames, or any third party scripts, assets, or APIs used by those services: - dosupply.com - pdfsupply.com - *.dosupply.com - *.pdfsupply.com In-scope vulnerabilities include: - Account registration, login, settings, and authentication - Customer data (profile, addresses, order history) - Form submissions (contact, quote, sell surplus, repair forms) - Checkout and payment workflows - Internal and supporting APIs - Infrastructure and domain names ================================================================= === REPORTING GUIDELINES ================================================================= If you believe you have found a security vulnerability, please: 1. Email security@dosupply.com 2. Encrypt sensitive details using our PGP key: https://www.dosupply.com/.well-known/security-pgp-public.asc 3. Include: - A clear description of the issue and potential impact - Steps to reproduce the issue - Any relevant request/response examples, screenshots, or videos We ask that you: - Do not exploit, modify, or destroy data. - Do not access other users' accounts or personal information. If an account has been accessed inadvertantly, immediately cease further requests, destroy associated cookies and tokens, and report the issue to us using the steps above. - Do not run automated scanners or denial-of-service tools. - Do not attempt financial transactions or test real credit cards. Our commitment: - We will acknowledge receipt within 3 business days. - We will provide updates during triage and remediation. - We will credit researchers publicly if requested and if the report results in a confirmed improvement. - We may, at our discretion, further recognize significant reports that lead to meaningful security improvements. ================================================================= === SAFE HARBOR ================================================================= We will not pursue legal action for good-faith, non-disruptive testing that complies with this policy.