Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Vulnerability Disclosure

Last updated: January 15, 2026

Vulnerability Disclosure Policy

Document owner: Chief Information Security Officer Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual, and upon material security program changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

1. Document Purpose and Executive Summary

This Vulnerability Disclosure Policy ("Policy") establishes Acme Cloud, Inc.'s ("Company," "we," "us," or "our") formal framework for receiving, processing, triaging, remediating, and disclosing security vulnerabilities discovered in our products, services, and infrastructure. This Policy demonstrates our commitment to transparency, responsible security research, and collaborative engagement with the global security research community.

The vulnerability disclosure program is a critical component of our defense-in-depth security strategy, complementing automated security scanning, penetration testing, code reviews, and continuous security monitoring. By establishing clear guidelines for external security researchers, we create a structured channel for identifying and addressing security weaknesses before they can be exploited by malicious actors.

This Policy applies to all Acme Cloud assets within the defined scope, establishes safe harbor protections for good-faith security researchers, defines our disclosure coordination process, and outlines our recognition program for contributors to our security posture.

Key Policy Commitments:

  • We will acknowledge vulnerability reports within two (2) business days
  • We will provide status updates at minimum every ten (10) business days
  • We will remediate critical vulnerabilities within seventy-two (72) hours target
  • We will not pursue legal action against researchers acting in good faith
  • We will publicly recognize researchers who report valid vulnerabilities (with consent)

2. Definitions

For purposes of this Policy, the following terms shall have the meanings set forth below:

TermDefinition
VulnerabilityA weakness in a system, application, or process that could be exploited to compromise the confidentiality, integrity, or availability of information or systems. This includes software bugs, misconfigurations, design flaws, and process deficiencies.
Security ResearcherAny individual or organization conducting security testing activities to identify vulnerabilities in computer systems, networks, or applications, whether independently or under engagement.
Good FaithActing with honest intent, without malicious purpose, and in compliance with applicable law and this Policy. Good faith requires avoiding unnecessary harm, respecting privacy, and promptly reporting discovered vulnerabilities.
Safe HarborLegal protection extended by the Company to security researchers who comply with this Policy, shielding them from legal action related to authorized security research activities.
Coordinated DisclosureA process whereby the discoverer of a vulnerability shares information with the affected vendor under embargo, allowing time for remediation before public disclosure.
CVSSCommon Vulnerability Scoring System, an industry-standard framework for assessing the severity of security vulnerabilities based on exploitability, scope, and impact metrics.
CVECommon Vulnerabilities and Exposures, a publicly disclosed cybersecurity vulnerability identifier maintained by MITRE Corporation.
Proof of Concept (PoC)A demonstration that a vulnerability is exploitable, typically through code, screenshots, or documentation showing the attack path and impact.
TriageThe process of evaluating a reported vulnerability to assess its validity, severity, scope, and appropriate remediation priority.
RemediationActions taken to fix, patch, mitigate, or otherwise address a vulnerability to eliminate or reduce associated risk.
Bug BountyA reward program offering monetary compensation to researchers who report valid security vulnerabilities (not currently offered by Acme Cloud).
Embargo PeriodThe time between initial vulnerability report and public disclosure, during which the vendor works to remediate the issue.
SubprocessorA third-party service provider that processes data on behalf of Acme Cloud in connection with service delivery.
Zero-DayA previously unknown vulnerability with no available patch at the time of discovery or exploitation.
Attack SurfaceThe sum of all points where an unauthorized user could attempt to enter data to or extract data from the Company's systems.

3. Scope of Testing Authorization

3.1 In-Scope Assets

The following assets are authorized for security testing under this Policy:

Asset CategorySpecific AssetsAuthorization LevelNotes
Production Web Applicationsacmecloud.com, *.acmecloud.com (excluding customer subdomains)Full testing authorizedRate limiting applies
Customer-Facing SaaS Platformapp.acmecloud.com, api.acmecloud.comFull testing on researcher-owned accountsDo not test against other customers
Authentication Systemsauth.acmecloud.com, login.acmecloud.comLimited testing authorizedNo credential stuffing or account enumeration
Public API Endpointsapi.acmecloud.com/v1/, api.acmecloud.com/v2/Testing authorized per API documentationRespect rate limits; use test credentials
Mobile ApplicationsOfficial iOS and Android applications from App Store/Google PlayFull testing authorizedTest against latest released version
Browser ExtensionsOfficial Chrome and Firefox extensionsFull testing authorizedTest against latest released version
Open Source Repositoriesgithub.com/acmecloud/*Full testing authorizedFollow responsible disclosure for libraries
Documentation Sitesdocs.acmecloud.com, developers.acmecloud.comLimited testing authorizedContent injection vulnerabilities in scope
Status Pagestatus.acmecloud.comLimited testing authorizedAvailability testing not authorized

3.2 Out-of-Scope Assets and Activities

The following are explicitly out of scope and testing is not authorized:

CategoryExamplesRationaleAlternative Action
Third-Party ServicesCDN providers, analytics platforms, payment processorsNot under Company controlReport directly to service provider
Customer Data and AccountsAny customer tenant, customer-configured integrationsPrivacy and legal concernsUse only researcher-owned test accounts
Social EngineeringPhishing employees, pretexting, tailgatingEmployee safety and privacyNot permitted under any circumstances
Physical SecurityOffice access, hardware tampering, dumpster divingPhysical safety concernsRequires separate written authorization
Denial of ServiceResource exhaustion, traffic flooding, crash testingService availability impactReport theoretical DoS vulnerabilities without testing
Spam and Mass MessagingEmail flooding, notification abuseUser experience impactReport vulnerability without exploitation
Data DestructionDeleting data, corrupting databasesIrreversible harmDemonstrate read-only proof of concept
Privacy ViolationsAccessing personal data, surveillanceLegal and ethical concernsReport vulnerability without accessing PII
Competitor SystemsPartner integrations, marketplace appsNot under Company controlReport to respective vendors
Automated Scanning (Aggressive)High-volume automated tools, fuzzing without coordinationService degradation riskCoordinate with security team before automated testing
Employee Personal AccountsSocial media, personal email, personal devicesPrivacy violationsNot permitted under any circumstances
Acquired Companies Pre-IntegrationSystems of recently acquired companies not yet integratedScope uncertaintyContact security team for clarification

3.3 Testing Conduct Requirements

Researchers must adhere to the following conduct requirements during testing:

RequirementSpecificationVerification Method
Rate LimitingMaximum 10 requests per second for automated testingMonitored via WAF logs
Session ManagementUse only researcher-controlled test accountsAccount verification during triage
Data AccessAccess minimum data necessary to demonstrate vulnerabilityReport review
Data RetentionDelete any inadvertently accessed data promptlySelf-attestation in report
ConfidentialityDo not disclose vulnerability until coordinated disclosurePublic monitoring
CommunicationUse designated channels only (security@acmecloud.com)Channel verification
Professional ConductNo threats, extortion, or unprofessional communicationCommunication review
Tool UsageAvoid tools that may cause service degradationActivity monitoring
Geographic RestrictionsComply with applicable sanctions and export controlsIP verification
Legal ComplianceComply with all applicable laws beyond this PolicySelf-attestation

4. Safe Harbor Provisions

4.1 Legal Protection Commitment

Acme Cloud extends the following legal protections to security researchers who comply with this Policy:

4.1.1 Authorization Under Computer Fraud and Abuse Act (CFAA)

We consider security research conducted in accordance with this Policy to be authorized access under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), to the extent such authorization is legally effective. We will not pursue civil claims or initiate criminal complaints against researchers who:

  • Conduct testing only against in-scope assets
  • Avoid privacy violations, data destruction, and service disruption
  • Report vulnerabilities promptly through designated channels
  • Do not exploit vulnerabilities beyond proof-of-concept demonstration
  • Do not access, modify, or exfiltrate customer data
  • Maintain confidentiality until coordinated disclosure

4.1.2 Safe Harbor Limitations

Safe harbor protection does not extend to:

Excluded ActivityRationaleConsequence
Violations of laws unrelated to security researchLegal compliance requirementMay result in law enforcement referral
Access to customer data without authorizationPrivacy and legal obligationsNot protected; may result in prosecution
Testing against out-of-scope assetsScope limitationNot protected under this Policy
Disclosure in violation of embargoCoordinated disclosure requirementRecognition forfeited; future reports may be declined
Extortion or ransom demandsCriminal conductNot protected; will result in law enforcement referral
Repeated Policy violations after warningBad faith indicatorSafe harbor revoked for individual
Testing from sanctioned jurisdictionsExport control complianceMay not be legally protected

4.2 Third-Party Safe Harbor Coordination

If your research involves third-party services integrated with Acme Cloud, we will make good-faith efforts to coordinate with those parties regarding safe harbor protections. However, we cannot guarantee third-party enforcement decisions. Researchers should review third-party vulnerability disclosure policies before testing integrated services.

4.3 Employment and Contractor Exclusions

Current employees, contractors, and their immediate family members are not eligible for public recognition under this Policy. Such individuals should report security concerns through internal channels (internal security ticketing system, direct CISO contact, or whistleblower hotline per Whistleblower Policy).

5. Vulnerability Reporting Procedures

5.1 Reporting Channels

ChannelContact InformationAvailabilityEncryptionUse Case
Primary Emailsecurity@acmecloud.com24/7 (monitored business hours)PGP availableAll vulnerability reports
Encrypted Submissionssecurity.txt PGP key24/7Required for sensitive dataReports containing exploit code or sensitive details
Web Formacmecloud.com/security/report24/7TLS onlyStructured report submission
HackerOne (Monitoring)hackerone.com/acmecloudN/APlatform nativeWe monitor for reports; not primary channel
Emergency Line+1-415-555-019924/7NoCritical vulnerabilities requiring immediate attention

5.2 Report Content Requirements

Complete vulnerability reports should include the following information:

Required ElementDescriptionExample
Vulnerability TypeClassification of the vulnerability (XSS, SQLi, IDOR, etc.)"Stored Cross-Site Scripting (XSS)"
Affected AssetSpecific URL, endpoint, application, or component"https://app.acmecloud.com/dashboard/settings"
Affected VersionsApplication version, API version, or date observed"API v2.3.1, observed January 15, 2026"
Reproduction StepsDetailed, numbered steps to reproduce the vulnerability"1. Log in as standard user\n2. Navigate to settings\n3. Enter payload in name field"
Proof of ConceptCode, screenshots, video, or HTTP requests demonstrating the issueHTTP request/response, screenshot with redactions
Impact AssessmentYour assessment of potential impact to confidentiality, integrity, or availability"Allows session hijacking of logged-in users"
Severity EstimateYour CVSS score estimate if possible"CVSS 3.1 Base Score: 8.1 (High)"
Discovery ContextHow you discovered the vulnerability"Manual testing during API integration review"
Recommended FixIf known, suggest remediation approach"Implement output encoding for user-supplied content"
Contact InformationEmail or secure contact method for follow-up"researcher@example.com, Signal: +1-xxx-xxx-xxxx"
Recognition PreferenceWhether you wish to be publicly credited"Yes, credit as 'Jane Doe'"

5.3 Optional but Helpful Information

  • Environment details (browser, OS, network configuration)
  • Traffic captures (sanitized of personal information)
  • Automated tool output (if applicable)
  • References to similar vulnerabilities (CVE numbers, prior art)
  • Proposed timeline for coordinated disclosure

6. Vulnerability Handling Process

6.1 Response Timeline Commitments

PhaseTarget TimelineMaximum TimelineEscalation Trigger
Acknowledgment1 business day2 business daysAuto-escalation if not acknowledged
Initial Triage3 business days5 business daysManager escalation at day 4
Severity Assignment5 business days7 business daysCISO notification for High/Critical
Remediation Plan7 business days14 business daysExecutive escalation for Critical
Status Update CadenceEvery 7 daysEvery 10 business daysReporter may request escalation
Critical Remediation24 hours72 hoursIncident commander activation
High Remediation7 days14 daysManagement review
Medium Remediation30 days60 daysStandard tracking
Low Remediation60 days90 daysBacklog prioritization
Reporter Notification (Resolution)3 business days after fix5 business daysAutomatic on ticket closure

6.2 Triage and Severity Classification

We use CVSS v3.1 as the baseline for severity classification, adjusted for business context and exploitability:

SeverityCVSS RangeDefinitionRemediation SLAExamples
Critical9.0 – 10.0Vulnerabilities allowing unauthenticated remote code execution, mass data exfiltration, or complete system compromise72 hoursUnauthenticated RCE, SQL injection with full database access, authentication bypass to admin
High7.0 – 8.9Vulnerabilities allowing significant impact with some constraints (authentication, user interaction, or limited scope)14 daysAuthenticated privilege escalation, stored XSS in admin panel, SSRF with internal network access
Medium4.0 – 6.9Vulnerabilities with moderate impact requiring specific conditions or limited exploitability60 daysCSRF on non-critical actions, reflected XSS requiring social engineering, information disclosure of non-sensitive data
Low0.1 – 3.9Vulnerabilities with minimal impact or requiring unlikely conditions90 daysMissing security headers, verbose error messages, clickjacking on non-sensitive pages
Informational0.0Observations that may indicate security improvements but do not represent exploitable vulnerabilitiesNo SLABest practice recommendations, defense-in-depth suggestions

6.3 Internal Escalation Matrix

SeverityImmediate NotificationExecutive BriefingBoard Notification
CriticalCISO (4 hours), VP EngineeringCEO (24 hours)Audit Committee (if customer data affected)
HighSecurity Engineering ManagerCISO (weekly summary)N/A
MediumSecurity Engineer on-callMonthly metricsN/A
LowStandard ticket workflowQuarterly summaryN/A

7. Coordinated Disclosure Framework

7.1 Disclosure Timeline

Acme Cloud requests a standard ninety (90) day embargo period from report acknowledgment to public disclosure. This timeline allows for:

  • Thorough investigation and root cause analysis
  • Development and testing of remediation
  • Deployment to production environments
  • Customer notification where appropriate
  • Coordination with affected third parties

7.2 Timeline Modifications

ScenarioAdjustmentApproval Required
Simple fix, low riskMay reduce to 30-60 daysMutual agreement
Complex remediationMay extend to 120 daysResearcher agreement, written explanation
Active exploitation observedAccelerated disclosure (7-14 days)CISO approval
Third-party dependenciesExtension based on vendor timelineDocumented coordination
Researcher request for extensionConsidered on case-by-case basisCISO approval
Holiday or resource constraintsUp to 30 additional daysMutual agreement

7.3 Disclosure Publication Process

Upon remediation and embargo completion:

StepActionTimelineResponsible Party
1Verify fix deployed to all production environmentsBefore disclosureEngineering
2Notify researcher of resolution and disclosure readiness5 days before disclosureSecurity Team
3Prepare security advisory (internal review)3 days before disclosureSecurity Team + Legal
4Request CVE identifier (if applicable)5 days before disclosureSecurity Team
5Publish advisory to acmecloud.com/security/advisoriesDisclosure dateSecurity Team
6Update Hall of Fame (if researcher consents)Within 5 days of disclosureSecurity Team
7Notify affected customers (if applicable)Per customer notification SLACustomer Success

8. Recognition Program

8.1 Security Hall of Fame

Acme Cloud maintains a Security Hall of Fame at acmecloud.com/security/hall-of-fame to recognize researchers who report valid in-scope vulnerabilities.

Recognition ElementOptionsTiming
Name/HandleReal name, pseudonym, or "Anonymous"At disclosure
AffiliationCompany or independent researcherAt disclosure
Vulnerability CategoryGeneral category (XSS, SQLi, etc.)At disclosure
Recognition DateMonth and year of acknowledgmentAt disclosure
Social LinkTwitter/X, LinkedIn, or personal website (optional)At disclosure

8.2 Recognition Eligibility Criteria

RequirementDescription
Valid in-scope vulnerabilityConfirmed security issue within Policy scope
Policy complianceResearcher followed all Policy requirements
First reporterFirst to report unique vulnerability (see duplicate policy)
Not employee or contractorCurrent Acme Cloud personnel ineligible
No extortion attemptsNo demands for payment as condition of report
Consent to recognitionResearcher affirmatively requests recognition

8.3 Swag and Appreciation

While Acme Cloud does not currently operate a paid bug bounty program, we provide appreciation tokens to recognized researchers:

ItemEligibilityNotes
Acme Cloud security t-shirtAll recognized researchersShipped within 30 days of recognition
Security sticker packAll recognized researchersIncluded with t-shirt shipment
Handwritten thank-you noteCritical/High findingsFrom CISO
Reference letterExceptional contributionsUpon request
LinkedIn recommendationOutstanding researchersUpon request

8.4 Bug Bounty Program Evaluation

Acme Cloud evaluates transition to a paid bug bounty program annually based on:

FactorCurrent StatusTarget for Bounty Consideration
Annual report volume47 reports (FY2025)100+ reports
Remediation capacity12 valid findings remediatedSustained capacity for 50+ annually
Program maturity2 years operating3+ years established
Budget allocationNot currently budgetedExecutive approval required
Platform evaluationHackerOne, Bugcrowd, Intigriti assessedPlatform selection complete

9. Duplicate and Invalid Report Handling

9.1 Duplicate Reports

ScenarioOutcomeRecognition
Vulnerability previously reported by external researcherFirst reporter receives recognitionSubsequent reporters notified, no recognition
Vulnerability discovered by internal teamExternal reporter still eligible for recognitionRecognition notes parallel discovery
Vulnerability reported via multiple channels simultaneouslyFirst received report takes precedenceTimestamp comparison
Vulnerability known but not yet remediatedReporter notified of statusMay receive recognition if not previously credited

9.2 Invalid Report Categories

CategoryExamplesResponse
Out of scopeThird-party services, customer integrationsRedirect to appropriate vendor
Not a vulnerabilityFeature request, usability issueRedirect to product feedback
Theoretical without PoC"I think there might be XSS" without demonstrationRequest proof of concept
Already publicCVE already published, vulnerability in dependency with known patchThank and close
Scanner noiseAutomated tool false positivesClose with explanation
Policy violationsTested customer accounts, caused service disruptionWarning or safe harbor revocation

10. Security Advisory Publication

10.1 Advisory Content

Security advisories published at acmecloud.com/security/advisories include:

ElementDescriptionInclusion Criteria
Advisory identifierUnique ACME-YYYY-NNN formatAll advisories
CVE identifierWhere assigned by MITRE or CNACritical and High severity
TitleBrief description of vulnerabilityAll advisories
SeverityCVSS score and qualitative ratingAll advisories
Affected versionsSpecific versions or date rangesAll advisories
DescriptionTechnical details appropriate for defendersAll advisories
ImpactPotential consequences of exploitationAll advisories
RemediationActions customers should takeAll advisories
WorkaroundsTemporary mitigations if availableWhere applicable
TimelineDiscovery, report, fix, disclosure datesAll advisories
CreditResearcher acknowledgment (with consent)Where researcher consents
ReferencesRelated CVEs, vendor advisoriesWhere applicable

10.2 Advisory Distribution

ChannelAudienceTiming
Security advisories pagePublicAt disclosure
RSS feedSubscribersAt disclosure
Email notificationEnterprise customers (Critical/High)24-48 hours before public disclosure
In-app notificationAffected customersAt disclosure
Status pageAll users (if service impact)As appropriate

11. Metrics and Program Transparency

11.1 FY2025 Program Metrics

MetricValueTrend
Total reports received47+23% YoY
Valid vulnerabilities confirmed12+20% YoY
Critical severity1Stable
High severity2-1 YoY
Medium severity6+2 YoY
Low severity3Stable
Average acknowledgment time1.2 business daysImproved from 1.8 days
Average time to remediate (Critical)58 hoursWithin SLA
Average time to remediate (High)9 daysWithin SLA
Average time to remediate (Medium)34 daysWithin SLA
Researchers recognized in Hall of Fame8+3 YoY
Reports rejected (out of scope/invalid)35Expected ratio
Safe harbor invocations0No disputes

11.2 Continuous Improvement Initiatives

InitiativeStatusTarget Completion
Implement structured intake formCompleted Q4 2025Done
Automate acknowledgment emailsCompleted Q3 2025Done
Integrate with GRC vulnerability trackerCompleted Q2 2025Done
Launch test account provisioning programPlanned Q2 2026In progress
Evaluate bug bounty platformPlanned Q4 2026Not started
Publish metrics dashboardPlanned Q3 2026Not started

12. SOC 2 and ISO 27001 Control Mapping

12.1 SOC 2 Trust Services Criteria Mapping

Control IDControl DescriptionPolicy Implementation
CC1.1COSO Principle 1: Demonstrates commitment to integrity and ethical valuesSafe harbor provisions, ethical treatment of researchers
CC2.2Internal and external communicationDefined reporting channels, response timelines
CC3.1Risk identificationVulnerability intake and triage process
CC3.2Risk assessmentCVSS-based severity classification
CC3.3Risk managementRemediation SLAs and escalation procedures
CC4.1Monitoring controlsVulnerability metrics, program effectiveness review
CC4.2Deficiency evaluation and remediationVulnerability remediation tracking
CC5.1Control selection and developmentVulnerability disclosure program as preventive control
CC6.1Logical and physical access controlsScope limitations, authorized testing requirements
CC6.8Vulnerability managementCore purpose of this Policy
CC7.1Detection of security eventsExternal researcher reports as detection mechanism
CC7.2Incident response monitoringIntegration with incident response plan
CC7.3Incident response proceduresEscalation matrix, remediation SLAs
CC7.4Incident response communicationReporter notification, advisory publication

12.2 ISO 27001:2022 Annex A Control Mapping

ControlControl TitlePolicy Implementation
A.5.7Threat intelligenceExternal researcher reports as threat intelligence source
A.5.24Information security incident management planningVulnerability handling process
A.5.25Assessment and decision on information security eventsTriage and severity classification
A.5.26Response to information security incidentsRemediation process and SLAs
A.5.27Learning from information security incidentsMetrics tracking, continuous improvement
A.5.28Collection of evidenceReport documentation requirements
A.6.8Information security event reportingReporting channels and procedures
A.8.8Management of technical vulnerabilitiesCore vulnerability management process
A.8.12Data leakage preventionScope restrictions, researcher conduct requirements
A.8.16Monitoring activitiesResearcher activity monitoring

13. Legal and Regulatory Compliance

13.1 Applicable Legal Frameworks

FrameworkApplicabilityPolicy Alignment
Computer Fraud and Abuse Act (CFAA)US federal lawSafe harbor provisions align with DOJ good-faith research guidance
California Comprehensive Computer Data Access and Fraud ActCalifornia state lawSafe harbor extends to state law equivalent
EU Directive 2013/40/EUEU operationsCoordinated disclosure process
UK Computer Misuse Act 1990UK operationsGood-faith research protections
GDPR Article 32EU data subjectsVulnerability management as security measure
CCPA/CPRACalifornia residentsSecurity program component
NIST Cybersecurity FrameworkVoluntary adoptionAligned with Identify, Protect, Detect functions
DOJ Cybersecurity Unit GuidanceUS federal guidanceSafe harbor language aligned with 2022 guidance

13.2 Export Control Considerations

Researchers must comply with US export control regulations (EAR, OFAC sanctions). Acme Cloud cannot provide safe harbor protections for research conducted from comprehensively sanctioned jurisdictions or by individuals on restricted party lists. Researchers are responsible for their own export control compliance.

14. Program Governance and Oversight

14.1 Roles and Responsibilities

RoleResponsibilitiesEscalation Authority
CISOPolicy ownership, program oversight, Critical/High approvalExecutive team, Board
Security Engineering ManagerDay-to-day operations, triage oversightCISO
Security Engineer (On-Call)Initial triage, researcher communicationSecurity Engineering Manager
Engineering Team LeadsVulnerability remediation implementationVP Engineering
Legal CounselSafe harbor review, regulatory complianceGeneral Counsel
CommunicationsAdvisory publication, external communicationsVP Marketing
Customer SuccessCustomer notification for affecting vulnerabilitiesVP Customer Success

14.2 Policy Review and Updates

Review TypeFrequencyTriggerApprover
Scheduled reviewAnnualCalendarCISO
Material change reviewAs neededProgram changes, regulationsCISO + Legal
Post-incident reviewAfter significant findingsCritical vulnerability, process failureCISO
Metrics reviewQuarterlyStandard reportingSecurity Engineering Manager
Benchmark reviewAnnualIndustry comparisonCISO

15. Test Account Provisioning

15.1 Researcher Account Program

Qualified security researchers may request dedicated test accounts to facilitate in-scope testing:

Account TypeProvisioning TimeEligibilityLimitations
Standard test tenant3 business daysValidated researchers with research scope30-day validity, renewable
API test credentials2 business daysValidated researchersRate-limited, test environment
Enterprise feature access5 business daysResearchers testing enterprise featuresRequires scope approval

15.2 Account Request Process

  1. Email security@acmecloud.com with subject "Test Account Request"
  2. Include: researcher identity verification, research scope description, expected testing duration
  3. Security team validates request and provisions account
  4. Account credentials delivered via secure channel (PGP or Signal)
  5. Researcher acknowledges Policy compliance
  6. Account deprovisioned automatically at expiration or upon request

16. Relationship to Other Security Programs

16.1 Program Integration

ProgramRelationshipCross-Reference
Penetration TestingComplement community disclosure with annual professional testingPenetration Testing Program
Incident ResponseCritical vulnerabilities trigger incident response proceduresIncident Response Plan
Third-Party RiskVulnerabilities in vendor systems coordinated through TPRMThird-Party Risk Management
Security OverviewVulnerability management as component of security programSecurity Overview
Change ManagementRemediation changes follow standard change managementInternal change management policy

16.2 Vulnerability Source Integration

All vulnerability sources feed unified tracking:

SourceIntegration PointDeduplication
External researcher reportsThis PolicyManual triage
Penetration test findingsPen test programAutomated matching
Automated scanning (SAST/DAST)CI/CD pipelineAutomated deduplication
Dependency scanning (SCA)Build processAutomated deduplication
Bug bounty platform monitoringMonitoring dashboardManual review
Customer reportsSupport ticketingManual triage
Internal security testingSecurity team testingManual matching

Related Trust Center documents

penetration testing, incident response, security overview, third party risk, access control, compliance frameworks

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices

17. Security.txt and Contact Information

Acme Cloud publishes machine-readable security contact information at:

security.txt Location: https://acmecloud.com/.well-known/security.txt

FieldValue
Contactmailto:security@acmecloud.com
EncryptionPGP key URL
Acknowledgmentshttps://acmecloud.com/security/hall-of-fame
Policyhttps://acmecloud.com/trust-center/vulnerability-disclosure
Preferred-Languagesen
Canonicalhttps://acmecloud.com/.well-known/security.txt
ExpiresUpdated annually

PGP Key Fingerprint: Available at security.txt, rotated annually with 30-day overlap period.

18. Acknowledgments

Acme Cloud thanks the global security research community for their contributions to our security posture. Your responsible disclosure helps protect our customers and the broader ecosystem. We are committed to treating all good-faith researchers with respect, transparency, and appreciation.

Report vulnerabilities: security@acmecloud.com
Trust inquiries: trust@acmecloud.com
PGP encryption: Available via security.txt
Hall of Fame: acmecloud.com/security/hall-of-fame

This Policy is not a contract and may be updated at any time. The "Last updated" date indicates the current version. Material changes will be communicated via security.txt and Trust Center notification.

Last updated: January 15, 2026
EthicPages logoEthicPages