Responsible Disclosure Policy

1. INTRODUCTION

Oz Forensics is dedicated to maintaining the highest standards of security for its customers, employees, and systems. This policy reflects the company’s commitment to transparency, collaboration, and accountability. By encouraging responsible disclosure of vulnerabilities and violations, Oz Forensics strengthens its security posture and builds trust with the broader community. The Bug Bounty Program further incentivizes security researchers to contribute to the company’s security by offering rewards for valid vulnerability reports.

2. LEGAL POSTURE

Oz Forensics commits to protecting individuals who report vulnerabilities or violations in good faith. The company will not pursue legal action against individuals who: ▪ Conduct security testing without causing harm to Oz Forensics or its customers.

▪ Operate within the scope of the vulnerability disclosure program or Bug Bounty Program.

▪ Test products without impacting customers or obtain prior consent from customers before testing their systems.

▪ Comply with applicable laws in their jurisdiction and that of Oz Forensics.

▪ Refrain from publicly disclosing vulnerability details before an agreed-upon timeframe.

▪ Refrain from accessing, retaining, exfiltrating, or further processing any personal data encountered during security testing beyond what is strictly necessary to demonstrate the existence of a vulnerability. This policy ensures that researchers, whistleblowers, and Bug Bounty participants are treated fairly and that their contributions are valued. Protection under this section does not apply where a reporter has accessed, copied, or retained personal data in excess of what is strictly necessary to evidence a reported vulnerability, or where the reporter has failed to notify Oz Forensics of any personal data accessed during testing without undue delay.

3. VULNERABILITY DISCLOSURE

How to Submit a Vulnerability

Reports of vulnerabilities can be submitted to Oz Forensics’ Product Security Team via the form Report a Security Vulnerability on the website or by designated email address: security@ozforensics.com. Reporters should avoid including unnecessary personal data, customer data, credentials, production data, or other sensitive information in vulnerability reports. Where such information is strictly necessary to validate the issue, it shall be limited to the minimum necessary and handled confidentially in accordance with applicable security and privacy requirements.

The company ensures that all submissions are reviewed promptly and handled with confidentiality.

Preference, Prioritization, and Acceptance Criteria

Oz Forensics prioritizes and triages submissions based on the following criteria: ▪ Reports written in clear and concise English are given higher priority. ▪ Submissions that include proof-of-concept code or detailed technical information are prioritized. ▪ Reports containing only crash dumps or automated tool outputs may receive lower priority. ▪ Vulnerabilities outside the defined scope may also receive lower priority.

What we would like to see from You

▪ A detailed description of the vulnerability, including how it was discovered, its potential impact, and possible remediation steps. ▪ Any proof-of-concept code or supporting evidence to help validate the issue. ▪ Information about any plans for public disclosure, if applicable.

What you can expect from Oz Forensics

▪ Acknowledgment of your report within two business days.

▪ A clear timeline for remediation and regular updates on progress.

▪ Open communication to discuss the issue and its resolution.

▪ Notification when the vulnerability has been validated and fixed.

▪ Public recognition for your contribution, if desired, once the issue is resolved.

▪ Confidential handling of any personal data submitted as part of a vulnerability report, in accordance with applicable data protection requirements, including GDPR. If communication challenges arise, Oz Forensics may involve a neutral third party to facilitate resolution.

4. UPDATE TO THIS RESPONSIBLE DISCLOSURE POLICY

We may update this Responsible Disclosure Policy at any time. Any changes will become effective once the revised policy is published on or through the website. Such updates will be duly disclosed by Oz Forensics.

5. TALK TO US

We value your feedback. Please don’t hesitate to reach out if you have any questions, comments, or suggestions regarding this policy or the handling of vulnerability information. You can do so by sending an email to: security@ozforensics.com, or by contacting our office:

OZ FORENSICS SOFTWARE TRADING LLC Office 384, Saih Shuaib Bldg 2 area, DIC, Dubai, UAE