Purpose and Overview

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Joya Communication Inc.’s Marco Polo app or Channels app, and submitting discovered vulnerabilities to Joya.

All technology contains bugs. Maintaining the security of our networks is a priority at Joya. If you've found a security vulnerability with Marco Polo, our Channels app or our websites such as https://marcopolo.me, we'd absolutely appreciate hearing from you.

Please review the following terms before conducting any testing of Joya’s networks and before submitting a report. And thank you in advance.

Reporting Process

If you believe you have found a vulnerability or security flaw, please submit it by emailing us at bugs@marcopolo.me. The report should include a detailed description of the vulnerability (including type of issue, product, version, and configuration of software containing the bug) with clear, step-by-step instructions to reproduce the issue.

Guidelines

Joya will deal in good faith with researchers who discover, test, and submit vulnerabilities in accordance with these guidelines:

  • Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • Report any vulnerability you’ve discovered promptly.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
  • Use only the official channels to discuss vulnerability information with us - e.g., emailing bugs@marcopolo.me, and do not publicly disclose any details of the vulnerability or the content of information rendered available by a vulnerability, except upon receiving written authorization from Joya.
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a vulnerability; and cease testing and submit a report immediately if you encounter any user information (such as names, emails, phone numbers or other personal user information as defined in our privacy policy) during testing.

Disclosure of Vulnerability

The contents of the report you submit will be made available to the Marco Polo team immediately, and will initially remain non-public to allow sufficient time to publish a remediation. After the report is closed, either party can publicly disclose the contents of the report if needed.

By default, the team will attempt to close all reports within 30 days or less.

Due to complexity and other factors, some vulnerabilities will require longer than 30 days to remediate. In these cases, the report will remain non-public to ensure that the Marco Polo team has an adequate amount of time to address the security issue.

We will attempt to be transparent in communications with the finder when such challenging cases present themselves.

Joya will not bring any legal action against anyone who makes a good faith effort to comply with this policy.

As long as you comply with this policy:

  • We consider your security research to be "authorized" under the Computer Fraud and Abuse Act.
  • We waive any restrictions in our Terms of Service that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.

You are responsible for complying with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email us at bugs@marcopolo.me before going any further.

Bug Rewards

We value the efforts that finders put in to identify bugs and vulnerabilities. As a reward, on successful submission of a Report, we will be offering 1 year of Marco Polo Plus and with your consent, listing your name/handle on our Vulnerability Finders Hall of Fame.

Other

We reserve the right to modify the terms of this policy or terminate the policy at any time.

Our Public 2048-bit RSA Key to encrypt your report.

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: Keybase OpenPGP v1.0.0 Comment: https://keybase.io/crypto

xsBNBF7Wlq8BCADh93LIsaCzYawucSP/Xsb8s7cfheEalg+1HZLSDK+oNpYkhLsp 9wP95hvVVxUb6it8XthiiRjzCgoTMpRZfFSNJtdk/pkvWmSQmQFvCuvZ8gB3E3c0 x8n1gNVlTpqln61rkqKXksHRvPBPfBx1MAqV8GCD2Zt2XnUq0cSdqFrhrvJahKRU FIkbHO3z+OZC/Fsi75UY7Pc5SqtT4a9IZLtYRuhQTaAqGasKXXb+gPVcu+D2YbXY Vj+Zep0r6OtsxPmsCj4mY1WLRjpATsa53QgmkoniRXAyAHC8kYIZ1dfLZWTRryOr MiUseoxzm0wbaQ+wYC3W/fCHWdCUoLWEwAcfABEBAAHNL1NlYW4gQmxhZ3N2ZWR0 IChNYXJjbyBQb2xvKSA8c2VhbkBoYXBweWJpdHMuY28+wsBtBBMBCgAXBQJe1pav AhsvAwsJBwMVCggCHgECF4AACgkQ4iiS17N9JAjhZwf/RBjpEoMSqXm5qIPc0e61 zGByHuujf7H3ghXypiwfjQwKT38KMnVtvxXml4smMG0KUEjEGf+6ZTWF4vnQ8ruM Td1bF900NVFjJ40TDu2L0q71fg9uEH/sEQDY/I7cx2UfmEYLnGAUt4GeRw/D8BmO QWbZSW4dkz90YvVypRYCecrp60buuDOX7TC2BX36IFkfXL3VYQLpbn+epqSphpMF IMqJ0TicuMVW6WJF5ScbxD+GaMnPsQ5MgOD2sy1faXqVuB8TKefwIoX81ACsiS1W VA5FdyHKahp14UBbss1rr0cZmvY17kK/Q1+7AkxUERAXtU93sXnLzClrHTvjruqv Tc7ATQRe1pavAQgAl/krQsYXtV5ZHnlfwEYYgqUGZkyBFk2t8D9N0WCVROk3ZJcC rnYzyi02BjsU+mkRgxA9sPe/bTdgSPXefQj9XbOlq5YdlZAfSDPLGcObZRfDq8aL vZeiNVi7pD6N6kSnGLGKKpz5vnmX1bHzxx6OCoI/ngomzt5rFjgYHKgNbfIff8ez +CYINyuzT3nVUNuQSFqeRqNdKzXCIq0cyHPOX3zpCUPfGzuRmDIBrM7ddq5DqeQy NM6tsdkOSbmL/71nhrJUbzIAvYbeB6cK1QM90CFWZ416ULQo4m0btLDvHIv5zLkZ ukmT9P7qrfbcpQWbufqDukTkxMTx9LKWKvT1RQARAQABwsGEBBgBCgAPBQJe1pav BQkPCZwAAhsuASkJEOIoktezfSQIwF0gBBkBCgAGBQJe1pavAAoJECM+mNixOOVd vskH/39s+MJtXY+u99TKpjrCuvSipIpbCUPBzQosvZKGXRibgDPs4wQJIxAd6AD8 83DZxndywt8Hd0f5JgEZ+wWvpqPxjvXltD4uUiYv1A1TE7G4RnUoOJz/AEUfBH2L sVHg34AlMw+0RrCQKVWrmOwBZDFGyjSXs0gME1tjTNDpZTLoxacryupgNlJzk3PD 9cpOBVlBhkIQtcE70sCPQajKq2QcV6YkhS6SShXO+Bl10y2e5RDD7NMZjIhpQOQX HmUwLO+T/bcHkDwFDEc2TA2FgTHtHo+dmmg3br3nEe1OMztZrxsLMQaBTqofAEID IAgXKcqoHAWb3Rh41eF0xWZh5e0F7Qf/SrJTCdOiH0H/BoNCajSdjk/yB85P2bT4 uwv7B07wOLfsWqDnxz4iJBaZMe5ffcvO9OGLXa/82HEmmhqmBIZTi88qDUZQM8gU 0Ya02mXw6DtyG2lpQ0kA4yWxchPKcBCYJIXkug/UM0mMa49idWurvQISoyoDAKwo dFna1K1fs3UuCZoUFs0cRXccT007r705o1WRxmnCu24b+QDM88Ps2ZKCKP5jdhB1 CziYe0NRlZV41hfG/o0YhZQmZbUb14zxixqlj9WfpGE3PoXgIovF0KJ2n9miwtdY egtCZU+gxg6YoeV0gb4jjhfhJvfTbXgWggEganGT5jbeyRJsSLFG987ATQRe1pav AQgAy7SCVfH1SOY2cW/RQntICw+KW/qBHTS3zdyGKiiL6mwzi6GyxxeF46ESQMrF Omk2U2bF6mVL9g7R1ulIQPPXjAbB0t8tpxVsquSvA3Ft/DuOjsUZyp5LZNo9rCMW LW6caYvPW9P0CfdO9SOKICUkcbu7nnuL9DSvanvOUptlGzfPYMGnjIT3Yu/cJUCr 9sdzNTHejxZ08nNgqTbQrhgFuxpqJE7qbrrL8j83nJPkPK4YMs6HqR/UFsCLIC0p FZEWvE/NQMHMwByKHpvprYcvDP54sTG1I4c5Tmn7N9GW/oO4oPq0k5a5zxARQAQs PZojIGAtJhGx38XQV+1pmXENPwARAQABwsGDBBgBCgAPBQJe1pavBQkPCZwAAhsu ASgJEOIoktezfSQIwFwgBBkBCgAGBQJe1pavAAoJEAR8ew2Bezz4JMgH9ApUZRPp YtzSDkIlC9BrW6IvlH8Wx8WiWBMdZ4XwUYtd2/SY1k07NgSDZsak2OTZ9Np/6Erx +JPm4E7FOR93+W53BYWvFHeb51ZIN++0GWd1ybMmB9GSYRvrC6VxdWzFeN2TPduX 3L+J0k2CHK7m1EOTIMmv3mbUWjwbj46vovIW/NLlViPLi9OOdjScf/RecveAM5US NQMNxQl+4BJ5uqk6yR1wBrMxZ35ry/BOOZnMC/xCeg94RvEBazVEXy0Ow+UI3IGG D0swJP87mmhybzo2pYgSzG+3tGKW5+Qfo1Pyd+/WtUcNnhKvpBr7CHLr22ASsJmG AAExqJPDbxnrp5YlB/4txF5RFMwOi+50F7CslPCOGvROFUl6BONr7tlFV1uO37/p rTAG1vGoAGs+26Socr69FRgXLJWwiPhg/0EGpDj5/EkxwS0sDnzCiX0q5XQSfGYz 7nNgloLt3dX63Gw3OViYQHO5IjmVJ9AQDK78mc8jj+sfJv8rNSyr68UT3sT/Lssh XPhqA3Wj6/LIaBp3GHVFFZLwuYKxaguHAnxfo1F/wdtavof196g+4lfU/Km4f23G ubxom8EmBdfW0gF87LkRN7MqFdiWVqyUUeTrivsjbFP7UMvQ1qBZUI3jEBNY0/Oj eeP+dWd78P4md6jxxw+zfQDuFV7Cg5msJFI8ulgJ =7Enh -----END PGP PUBLIC KEY BLOCK-----