JASON MITCHELL GROUP

RESPONSIBLE DISCLOSURE POLICY

Preamble

Jason Mitchell Group (“JMG“) places critical importance on the security and integrity of its systems and data, recognizing that these elements are fundamental to maintaining trust within our marketplace. JMG values the contributions of independent security researchers and experts who assist in identifying and mitigating potential vulnerabilities. This Responsible Disclosure Policy (the “Policy“) outlines the framework under which JMG welcomes and handles the reporting of security-related issues by external parties.

1. Policy Scope and Commitment

This Policy is intended to foster a collaborative and responsible approach to vulnerability disclosure. It applies to JMG’s public-facing systems, including https://thejasonmitchellgroup.com and its agent subdomains, but excludes internal systems such as employee databases or backend infrastructure unless explicitly authorized. By adhering to the guidelines set forth herein, security researchers can contribute to the enhancement of JMG’s security posture while safeguarding the privacy and data of our users.

2. Note Regarding Compensation

This is not a bug bounty program. JMG does not offer monetary rewards or compensation for identifying security vulnerabilities. However, in recognition of valuable contributions, JMG may, at its discretion, publicly acknowledge the first reporter of a confirmed vulnerability in our Security Hall of Fame on https://thejasonmitchellgroup.com, unless anonymity is requested.

3. Good Faith Commitment

JMG commits to:

1. Acknowledge receipt of vulnerability reports within 48 hours.
2. Investigate and, where appropriate, remediate reported vulnerabilities within 30–90 days, depending on severity.
3. Refrain from initiating legal action against individuals who report vulnerabilities in good faith and comply with this Policy and applicable laws, including the Computer Fraud and Abuse Act (CFAA). This commitment is intended to create a “safe harbor” for researchers who act responsibly and ethically.
4. Reporting a Vulnerability

To report a security issue or potential vulnerability, please send a detailed report to techteam@jasonmitchellgroup.com. If desired, communications may be encrypted using PGP; please contact us to obtain the JMG public key. This policy is available in alternative formats (e.g., PDF) upon request.

Reports should include, at a minimum, the following information, presented in English:

1. Detailed Description: A clear and comprehensive description of the vulnerability, including its potential impact.
2. Discovery Method: An explanation of how the vulnerability was discovered.
3. Reproduction Steps: Precise and repeatable steps to reproduce the observed vulnerability.
4. Supporting Evidence: Any supporting materials or evidence (e.g., screenshots, code snippets) that aid in understanding and validating the vulnerability.

5. Reporting Principles and Prohibitions

When conducting security research and reporting potential vulnerabilities, researchers must adhere to the following principles:

1. Data Protection:
   1. Upon encountering sensitive information or Personally Identifiable Information (“PII“), immediately cease testing and notify JMG.
   2. Access and view only the information necessary to identify and report the vulnerability.
   3. Refrain from saving, storing, distributing, or otherwise disclosing any sensitive or proprietary information.
2. Sufficient Information:
   1. Provide detailed and actionable information that enables JMG to replicate and address the vulnerability. Reports consisting solely of crash dumps or automated tool outputs are insufficient.
3. Authorized Access:
   1. Interact only with accounts owned by the researcher or for which explicit permission has been granted. JMG authorizes the creation of test accounts for research purposes.
4. Confidentiality:
   1. Maintain strict confidentiality regarding any confidential or proprietary information of JMG, any PII, or any information not accessible through publicly available channels. Do not disclose such information to any third parties.

Prohibited Activities

The following activities are strictly prohibited:

1. Integrity and Availability:
   1. Do not take any actions that could compromise the integrity or availability of JMG’s systems or data. If performance degradation or interruption is observed, immediately suspend all use of automated tools.
2. Prohibited Methods: The following methods are expressly prohibited:
   1. Denial-of-Service Attacks,
   2. Phishing or Spear Phishing,
   3. Social Engineering, and
   4. Physical Attacks against JMG’s Data Centers or Property.

Enforcement and Legal Considerations

Failure to comply with this Policy may result in disqualification from any potential recognition and may also result in legal action. JMG reserves all rights and remedies in the event of any violation of this Policy or applicable law. However, JMG will not pursue legal action against researchers who comply with this Policy and applicable laws, providing a safe harbor for good-faith reporting.

Acknowledgments and Appreciation

JMG greatly appreciates the efforts of security researchers who contribute to enhancing the security of our platform. We will notify researchers of Policy updates via the website or email to techteam@jasonmitchellgroup.com subscribers. We believe that a collaborative approach to vulnerability disclosure is essential for maintaining a secure environment for our users and the continued success of JMG.

We look forward to working with you.