Responsible Disclosure Program Terms of Use

Thank you for offering to share information regarding a security vulnerability with us. The security of our applications and the data we are responsible for protecting is important to us and we are grateful for any information you can share with us about how we can further improve it.

By submitting a vulnerability report, you are agreeing to the terms below (the “Terms of Use”), which are intended to protect both you and us.
  1. Safe Harbor. If you submit a vulnerability report to us, using the process outlined below, in compliance with all of the terms in these Terms of Use, we will not pursue civil action or initialize a complaint to law enforcement against you for accessing our systems without authorization in order to identify that vulnerability.
  2. Submission Process. Please submit all vulnerability reports to us by email at the email address ResponsibleDisclosure@bcg.com. In each report submitted, include:

    a. a description of the vulnerability;
    b. the URL, IP address, port, or other information that would assist us in locating the vulnerability;
    c. detailed and clear steps to reproduce the issue (including logs, screenshots, responses, or other evidence) or proof of concept code;
    d. how you found the issue;
    e. presumed impact;
    f. any remediation steps you would suggest; and
    g. your name and contact details

  3. Scope. You may not access any individual workstation, or system, network, content, application or data of any third party, in connection with this program. The safe harbor described above does not apply to any such system, network content, application or data.
  4. Methodology. You may not engage in any denial of service attack, attempts to compromise physical security or enter physical premises, or other destructive methodologies. As soon as you have identified the vulnerability, you must cease testing of it and report it as described above. The safe harbor described above does not apply to any activity that violates the terms of this Section.
  5. No Access to Personal Data or Misuse of Data. By participating in this program, you represent that you have not at any time accessed personal data of our customers or users found on our systems, and that, in the event that you inadvertently acquired any, you have securely deleted that data. You represent that you have not, and covenant that you will not, misuse any data extracted from our environment for any fraudulent, malicious, defamatory, abusive, threatening, unlawful or otherwise improper purpose.
  6. Intellectual Property Rights. By submitting information relating to a vulnerability, you grant us a perpetual, worldwide, royalty-free, fully paid-up license to use and disclose any information you submit, including any proofs of concept, patches, improvements, suggestions, code samples or any other information, in connection with the vulnerability to analyze, remediate or improve our systems and networks, incorporate it into our products or services, and to conduct further testing, or for any other legitimate business purpose. We do not grant you any intellectual property rights to any image, information, writing, invention, code or other creation in connection with these Terms of Use.
  7. Sanctions. By submitting information relating to a vulnerability, you represent that you are not subject to any export sanctions or other trade restrictions, whether due to being included on the sanctions list maintained by the U.S. Office of Foreign Assets Control, or other governmental bodies in the United States or European Union, individually, being a member of an organization on that list, or being a resident of a country that is sanctioned by the United States or European Union.
  8. Independent Contractor. Nothing in connection with your submission of a vulnerability shall indicate the you are an employee of BCG and the relationship between you and BCG shall not constitute a partnership, joint venture or agency. You shall not have the authority to make any statement, representation or commitment on BCG’s behalf.
  9. Disclaimer of Liability and Obligation. BCG, it’s officers, affiliates, representatives, contractors and employees shall not be liable to you in connection with these Terms of Use for any direct, indirect, exemplary, incidental, special or consequential damages. Unless otherwise agreed by BCG, any information submitted by you in connection with a vulnerability is provided at no charge and BCG shall not owe you any fee for that submission or any services performed or expenses incurred.
  10. Miscellaneous. These Terms of Use are governed by the laws of the Commonwealth of Massachusetts, without regard to conflict of laws principles. You shall not use any logo or other trademark of BCG without our explicit prior consent.
  11. Encrypted Messages. Please use our PGP key posted in the collapsible element below to send an encrypted message.

PGP Public Key

On behalf of ourselves and our users and customers, thank you again for helping us improve our cybersecurity.

BCG reserves the right, in its sole discretion, to modify the terms of the Responsible Disclosure Guidelines or to terminate any or all of them at any time.