The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
The terms "Researcher" or "Reporter" in this document is intended to be consistent with the terms "Finder" and/or "Reporter" as used in ISO/IEC 29147:2014(E) and the CERT® Guide to Coordinated Vulnerability Disclosure.
ORGANIZATION - the name of an organization or entity, specifically the one creating this policy.
SYSTEM SCOPE - A defined set of systems. E.g., "ORGANIZATION's information systems", "ORGANIZATION's public web sites", "PRODUCT versions X through Y", "Critical infrastructure information systems", or any other similar scope.
JURISDICTION - the territorial, political, or governmental scope of a regulatory authority
SLC - Service Level Commitment, typically expressed in terms of the minimum or maximum time until some event trigger. For example: at least 45 days, not more than 90 days, within 2 business days, etc.
PUBLICATION CHANNEL - A specific medium through which information is conveyed, e.g., a web site, mailing list, Twitter, RSS or Atom Feed, or database.
BUG BOUNTY - A type of Vulnerability Disclosure Program in which the ORGANIZATION compensates reporters for reports meeting specific criteria.
REPORTING CHANNEL - A specific medium through which vulnerability reports are communicated from a Reporter to the ORGANIZATION. Examples include: an email address, a web form, or a bug tracking platform.