Vulnerability Disclosure Policy

Purpose and Overview

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Joya Communication Inc.'s Marco Polo app and submitting discovered vulnerabilities to Joya.

All technology contains bugs. Maintaining the security of our networks is a priority at Joya. If you've found a security vulnerability with Marco Polo or our websites such as https://marcopolo.me, we'd absolutely appreciate hearing from you.

Please review the following terms before conducting any testing of Joya's networks and before submitting a report. And thank you in advance.

Reporting Process

If you believe you have found a vulnerability or security flaw, please submit it by emailing us at security@marcopolo.me. The report should include a detailed description of the vulnerability (including type of issue, product, version, and configuration of software containing the bug) with clear, step-by-step instructions to reproduce the issue.

Guidelines

Joya will deal in good faith with researchers who discover, test, and submit vulnerabilities in accordance with these guidelines:

• Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• Report any vulnerability you've discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
• Use only the official channels to discuss vulnerability information with us - e.g., emailing security@marcopolo.me, and do not publicly disclose any details of the vulnerability or the content of information rendered available by a vulnerability, except upon receiving written authorization from Joya.
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a vulnerability; and cease testing and submit a report immediately if you encounter any user information (such as names, emails, phone numbers or other personal user information as defined in our privacy policy) during testing.

Disclosure of Vulnerability

The contents of the report you submit will be made available to the Marco Polo team immediately, and will initially remain non-public to allow sufficient time to publish a remediation. After the report is closed, either party can publicly disclose the contents of the report if needed.

By default, the team will attempt to close all reports within 30 days or less.

Due to complexity and other factors, some vulnerabilities will require longer than 30 days to remediate. In these cases, the report will remain non-public to ensure that the Marco Polo team has an adequate amount of time to address the security issue.

We will attempt to be transparent in communications with the finder when such challenging cases present themselves.

Legal Safe Harbor:

Joya will not bring any legal action against anyone who makes a good faith effort to comply with this policy.

As long as you comply with this policy:

• We consider your security research to be "authorized" under the Computer Fraud and Abuse Act.
• We waive any restrictions in our Terms of Service that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.

You are responsible for complying with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email us at security@marcopolo.me before going any further.

Bug Rewards

We value the efforts that finders put in to identify bugs and vulnerabilities, however, we do not currently have a bug bounty program.

Other

We reserve the right to modify the terms of this policy or terminate the policy at any time.

Here is our public PGP key to encrypt your report.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZ+LmrRYJKwYBBAHaRw8BAQdALA6luNCFIiaA1xM1muZLP9ImrA5/shsP/ArO
c8Ja21m0RU1hcmNvIFBvbG8gU2VjdXJpdHkgVGVhbSAoQ3JlYXRlZCAyMDI1LTAz
LTI1KSA8c2VjdXJpdHlAbWFyY29wb2xvLm1lPoiZBBMWCgBBFiEEmRJKWuRJg4f1
Go0GpBGj/lJuJiUFAmfi5q0CGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYCAwEC
HgcCF4AACgkQpBGj/lJuJiVuWAD+MBeDs6W/7yV3ptIm5wM8Rk/wfmfuD1IKhBXy
mUdVgFwA/1xHaR7jyTNJRWhw943JZN26uGw07dnFzv9rJXy1DTcDuDgEZ+LmrRIK
KwYBBAGXVQEFAQEHQKEEW7z15UwiEmK7ngFMaWrGd5HVHMLI9wYkteTknpIHAwEI
B4h+BBgWCgAmFiEEmRJKWuRJg4f1Go0GpBGj/lJuJiUFAmfi5q0CGwwFCQWjmoAA
CgkQpBGj/lJuJiU5YwD+Pr8ZksKPY3FzGDn/6CYNepcV77i5kvITcUVm61OrMxcA
/jiBuMEMqQM1S8KzWBGa/XzBEcVral7fl0uX8U/sWssK
=jf98

-----END PGP PUBLIC KEY BLOCK-----

Effective date: March 25, 2025.