[{"id":3763672,"new_policy":"IBM recognizes how important the security community is in keeping our IBM products, offerings, services, websites and secrets safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM (and its acquired companies) products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations. In which, IBM requests all Security Researchers to allow IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party. The recommended time frame for disclosure is no sooner than 30 days after the fix is made publicly available.\n•\tIBM does not participate in a bug bounty awards program, although from time-to-time, some IBM teams may set up limited awards programs for special purposes. When a vulnerability is confirmed, remediated, and then disclosed, will will offer to recognize and credit the vulnerability reporter within our public disclosure.\n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n IBM Safe Harbor Policy\nGood Faith Security Research of IBM security flaws or vulnerabilities is protected by the IBM Safe Harbor Policy. For reporting methods available and for full details of the IBM Safe Harbor Policy, visit the 'Vulnerability Reporting' section of the IBM Security vulnerability management page at https://www.ibm.com/trust/security-vulnerability-management.\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-26T16:29:48.813Z"},{"id":3763645,"new_policy":"IBM recognizes how important the security community is in keeping our IBM products, offerings, services, websites and secrets safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM (and its acquired companies) products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations. In which, IBM requests all Security Researchers to allow IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party. The recommended time frame for disclosure is no sooner than 30 days after the fix is made publicly available.\n•\tIBM does not participate in a bug bounty awards program, although from time-to-time, some IBM teams may set up limited awards programs for special purposes. When a vulnerability is confirmed, remediated, and then disclosed, will will offer to recognize and credit the vulnerability reporter within our public disclosure\n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n IBM Safe Harbor Policy\nGood Faith Security Research of IBM security flaws or vulnerabilities is protected by the IBM Safe Harbor Policy. For reporting methods available and for full details of the IBM Safe Harbor Policy, visit the 'Vulnerability Reporting' section of the IBM Security vulnerability management page at https://www.ibm.com/trust/security-vulnerability-management.\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-26T12:06:15.347Z"},{"id":3762372,"new_policy":"IBM recognizes how important the security community is in keeping our IBM products, offerings, services, websites and secrets safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM (and its acquired companies) products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations. In which, IBM requests all Security Researchers to allow IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party. The recommended time frame for disclosure is no sooner than 30 days after the fix is made publicly available.\n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n IBM Safe Harbor Policy\nGood Faith Security Research of IBM security flaws or vulnerabilities is protected by the IBM Safe Harbor Policy. For reporting methods available and for full details of the IBM Safe Harbor Policy, visit the 'Vulnerability Reporting' section of the IBM Security vulnerability management page at https://www.ibm.com/trust/security-vulnerability-management.\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-04T21:06:54.705Z"},{"id":3752121,"new_policy":"IBM recognizes how important the security community is in keeping our IBM products, offerings, services, websites and secrets safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations. In which, IBM requests all Security Researchers to allow IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party. The recommended time frame for disclosure is no sooner than 30 days after the fix is made publicly available.\n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n IBM Safe Harbor Policy\nGood Faith Security Research of IBM security flaws or vulnerabilities is protected by the IBM Safe Harbor Policy. For reporting methods available and for full details of the IBM Safe Harbor Policy, visit the 'Vulnerability Reporting' section of the IBM Security vulnerability management page at https://www.ibm.com/trust/security-vulnerability-management.\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-19T22:48:11.214Z"},{"id":3730819,"new_policy":"IBM recognizes how important the security community is in keeping our IBM products, offerings, services, websites and secrets safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations. In which, IBM requests all Security Researchers to allow IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party. The recommended time frame for disclosure is no sooner than 30 days after the fix is made publicly available.\n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-24T19:30:29.612Z"},{"id":3697832,"new_policy":"IBM recognizes how important the security community is in keeping our IBM products, offerings, services, websites and secrets safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same. This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party. The recommended time frame for disclosure is no sooner than 30 days after the fix is made publicly available.\n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-13T19:03:39.987Z"},{"id":3682530,"new_policy":"IBM recognizes how important the security community is in keeping our IBM products, offerings, services, websites and secrets safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-25T20:57:44.524Z"},{"id":3682505,"new_policy":"IBM recognizes how important the security community is in keeping our products, offerings, services and websites safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, websites and secrets.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-25T13:55:30.873Z"},{"id":3669332,"new_policy":"IBM recognizes how important the security community is in keeping our products, offerings, services and websites safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, and websites.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-07T16:14:55.558Z"},{"id":3659727,"new_policy":"IBM recognizes how important the security community is in keeping our products, offerings, services and websites safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, and websites.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 7 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-08T16:54:45.138Z"},{"id":3658307,"new_policy":"IBM recognizes how important the security community is in keeping our products, offerings, services and websites safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, and websites.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported.\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 5 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-15T14:29:20.510Z"},{"id":3658306,"new_policy":"IBM recognizes how important the security community is in keeping our products, offerings, services and websites safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, and websites.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products.  \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle to determine which product versions are still supported.\n\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 5 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-15T14:27:35.505Z"},{"id":3658305,"new_policy":"IBM recognizes how important the security community is in keeping our products, offerings, services and websites safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, and websites.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products. \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Support Software lifecycle at https://www.ibm.com/support/pages/lifecycle/ to determine which product versions are still supported. \n\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 5 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-15T14:21:12.736Z"},{"id":3637172,"new_policy":"IBM recognizes how important the security community is in keeping our products, offerings, services and websites safe for our customers and users. We thank you in advance for your contributions to our vulnerability disclosure program.\nVulnerability reports submitted via this program will be handled by IBM’s global Product Security Incident Response Team (PSIRT).  This team will coordinate with other IBM teams to investigate, and if needed, identify the appropriate response plan.  Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\n\nScope\n•\tThis Program is limited to exploitable security vulnerabilities and CVE found in IBM products, offerings, services, and websites.  \n•\tWe ask that customers and other entitled users of an IBM product or offering contact IBM Technical Support to report any potential issues that they may discover in their use of those products. \n•\tPlease only report vulnerabilities for IBM products that are still being supported by IBM. Check our IBM Software lifecycle to determine which product version are still supported.\n\n\nProcess\n•\tIBM aims to respond to all new vulnerability reports within 5 business days.  \n•\tTo protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.  \n•\tIBM follows common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same.  This means allowing IBM the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.  \n•\tIBM does not participate in a bug bounty awards program at this time.  However, when a vulnerability is confirmed, remediated, and then disclosed - we will offer to recognize and credit the vulnerability reporter within our public disclosure. \n\n\nGuidelines\n\n•\tWhen submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.\n•\tDo not include any information in vulnerability reports, including in any attachments, that may identify an individual (such as a name, contact information, IP address or other similar information).\n•\tIn researching a vulnerability do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n•\tFor the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.\n•\tFindings which do not demonstrate any actionable vulnerability will not be accepted by this program.  Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information that is intended to be publicly accessed or otherwise does not present real risk to IBM or our customers.\n\n\nLegal Notice\nSo that IBM may utilize your vulnerability report to determine and develop appropriate remediation procedures, by submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. \n\nAlso, for similar reasons, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-09T14:05:44.057Z"},{"id":3635456,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines\n- This Program Policy is limited to exploitable security vulnerabilities and CVE found in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated and you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. \n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Disclosure of information that does not present a significant risk.\n- self-XSS vulnerabilities which are not directly exploitable or would require convincing the user to copy/paste the JavaScript payload into the vulnerable field.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-27T11:33:05.268Z"},{"id":3635095,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines\n- This Program Policy is limited to exploitable security vulnerabilities and CVE found in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated and you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. \n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Disclosure of information that does not present a significant risk\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-16T12:19:13.363Z"},{"id":3629403,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines\n- This Program Policy is limited to exploitable security vulnerabilities and CVE found in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated and you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. \n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-28T19:19:19.924Z"},{"id":3627953,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines\n- This Program Policy is limited to exploitable security vulnerabilities and CVE found in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. \n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-10T13:53:18.906Z"},{"id":3609952,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines\n- This Program Policy is limited to exploitable security vulnerabilities and CVE found in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-21T14:13:15.341Z"},{"id":3609951,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines\nThis Program Policy is limited to exploitable security vulnerabilities and CVE found in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-21T14:11:38.451Z"},{"id":3601768,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-31T15:41:24.586Z"},{"id":3600551,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com).\n- To be eligible to participate in this program, you must not be under contract to perform security testing by IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.\n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-15T20:51:58.241Z"},{"id":3600473,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Contact IBM Cloud support to report vulnerabilities found on *.mybluemix.net.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-14T21:14:23.559Z"},{"id":3594530,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not lead to an actionable vulnerability or do not have a CVE.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-13T16:41:56.253Z"},{"id":3593234,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive state changing actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not have any CVEs.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-01T01:22:54.049Z"},{"id":3593199,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that do not have any CVEs.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-31T19:48:23.482Z"},{"id":3593198,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Best practices that are not vulnerabilities, do not have any CVEs or a proof of concept.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-31T19:43:19.135Z"},{"id":3592628,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-26T06:49:35.270Z"},{"id":3591730,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-17T22:44:32.447Z"},{"id":3590306,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Please do not attach any video or executable files to your report. We will accept image attachments only.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-01T18:12:58.040Z"},{"id":3589270,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- Please do not attach any video or executable files to your report. We will accept image attachments only.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n- Publicly known data meant to be accessed by anyone.  Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-19T16:14:14.796Z"},{"id":3589269,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- Please do not attach any video or executable files to your report. We will accept image attachments only.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-19T16:06:47.825Z"},{"id":3588732,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- Please do not attach any video or executable files to your report. We will accept image attachments only.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\nIf you need to report security issues on any of the IBM products, please refer to the following link: \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-14T15:47:35.525Z"},{"id":3588731,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- Please do not attach any video or executable files to your report. We will accept image attachments only.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\nIf you need to report security issues on any of the IBM products, please refer to the following link: \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-14T15:47:25.888Z"},{"id":3588534,"new_policy":"IBM recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.\n\nThe IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.\n\nIBM will aim to respond to new reports within 5 business days.  Please note, report status marked as triaged is subject to change pending team's final analysis.\n\nCustomers and other entitled users of a product or solution should contact IBM Technical Support to report issues discovered in IBM offerings. If the IBM Technical Support Team determines that a reported issue is a security vulnerability, it will contact IBM PSIRT, as needed.\n\n# Guidelines \n- This Program Policy is limited to security vulnerabilities in IBM products and IBM websites (*.ibm.com) \n- Only report vulnerabilities for IBM software that is currently in support.  Check our [IBM Software lifecycle](https://www.ibm.com/support/home/pages/lifecycle/?from=index_a) to ensure the version you are using is supported.\n- To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to IBM, you agree to not publicly disclose or share the vulnerability with any third party until IBM confirms that the vulnerability has been remediated or you have received written permission from IBM to publish information about the vulnerability.\n- When submitting a report, you acknowledge you are subject to [HackerOne's Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) (as modified by this Program Policy regarding disclosure timelines), the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and the [HackerOne General Terms and Conditions](https://www.hackerone.com/terms/general).\n- IBM does not participate in bug bounty awards programs at this time.\n- In order for IBM to evaluate your vulnerability report, you agree to provide the information requested by IBM in our vulnerability submission form.\n- Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.\n- In addition to your obligations under the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions, do not cause harm to IBM or our customers, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.\n- Please do not attach any video or executable files to your report. We will accept image attachments only.\n- When submitting reports to us, we please ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets. In making life easy for us, we will ensure you get the reputation you deserve.\n\n\n# Out of Scope Vulnerabilities\n## The following submissions are not accepted as part of this program.\n- Clickjacking on pages with no sensitive actions.\n- Unauthenticated/logout/login CSRF.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n-  IBM software that has reached End Of Support (EOS) is not accepted and will receive a \"Not Applicable\" response.\n- Contact [IBM IT security](https://www.ibm.com/contact) to report IBM's Personal Information (PI), information classified as IBM Confidential, or information belonging to a client that has been exposed, disclosed, misused, stolen, or accessed inappropriately.\n- Contact IBM Cloud support to report vulnerabilities found on Softlayer and SoftLayer hosted websites such as: *.bluemix.net, *.cloud.ibm.com, *.mybluemix.net, *.softlayer.com, TheWeatherCompany, *.composedb.com, *.ustream.tv, *.video.ibm.com, watsondevelopercloud.com, watsonplatform.ne\n\n# Legal Notice\nBy submitting a vulnerability report to IBM, you grant to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.\n\nThank you for helping keep IBM and our customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-12T16:33:42.941Z"}]