Responsible Disclosure Policy

Last Updated: 10/20/2025

At Personnelgraph, the security of our platform, services, and user data is a top priority. We are committed to maintaining a safe and secure environment for employers, applicants, and authorized users. This Responsible Disclosure Policy outlines how security researchers and members of the public can report potential vulnerabilities in good faith.

By submitting a vulnerability report, you acknowledge that you have read and agreed to the terms of this policy.

1. Purpose

The purpose of this policy is to:
Encourage responsible reporting of potential security issues.
Establish a clear process for disclosing vulnerabilities.
Protect user data, including consumer and applicant information protected under federal and state laws such as the FCRA and GLBA.

Prevent unauthorized access, misuse, or disclosure of personal data.

2. Scope

This policy applies to:
The Personnelgraph public-facing website
Personnelgraph background screening platform and related web applications
APIs and services owned or operated by Personnelgraph
It does not cover third-party services or platforms not directly under our control.

3. Reporting a Vulnerability

If you believe you have identified a security vulnerability, please report it immediately by emailing:
security@personnelgraph.com
Please include the following:
Description of the issue
Steps to reproduce
Potential impact
Any relevant screenshots or proof-of-concept details
Your contact information (optional for anonymous submissions)
We encourage encryption of messages containing sensitive details.

4. What We Ask of You (Good Faith Requirements)

To protect users and the integrity of our systems, you must:
Not exploit or publicly disclose any vulnerability.
Avoid accessing personal data, PII, criminal history records, or background screening results.
Not perform actions that could harm system functionality, uptime, or data integrity.
Limit testing to non-destructive methods.
Not use automated tools that generate large volumes of traffic.
Comply with applicable laws, including the Computer Fraud and Abuse Act (CFAA).
If you inadvertently access sensitive information, stop testing immediately and report the vulnerability without storing, sharing, or transferring the data.

5. Our Commitment to You

If you follow this policy in good faith:
We will not pursue legal action related to your vulnerability testing.
We will acknowledge receipt of your report.
We will investigate the issue promptly.
We may provide public recognition if the issue is validated and you consent to attribution.
Note: This is not a bug bounty program and we do not currently offer financial rewards for submissions.

6. Prohibited Activities

The following activities are strictly prohibited:
Accessing or attempting to access personal data such as applicant criminal reports, authorization data, or user credentials.
Social engineering, phishing, or impersonation of Personnelgraph staff or customers.
Physical attacks on infrastructure or facilities.
Use of denial-of-service (DoS or DDoS) methods.
Testing that violates applicable laws or regulatory requirements.

7. Remediation and Follow-Up

Once a vulnerability has been reported:
We will review and validate the report.
If confirmed, we will work to remediate the issue in a timely manner.
We may request follow-up information or clarification from you during the investigation.
Where appropriate, we will provide updates regarding the status of the fix.

8. Responsible Public Disclosure

You may not publicly disclose any vulnerability or related details until:
We have confirmed that the issue has been fully resolved, and
You have received explicit written permission from Personnelgraph to share the information.
Unauthorized disclosure may compromise system security and could result in legal action.

9. Contact Information

To report vulnerabilities or ask questions about this policy, contact us at:
Email: security@personnelgraph.com
Subject Line: Responsible Disclosure Report