Responsible Disclosure Policy

Created Date: May 7, 2025

Overview

This Responsible Disclosure Policy is designed to guide individuals and researchers who discover vulnerabilities within The Benecon Group, LLC’s (hereinafter referred to as “the company”) systems, networks, and physical locations. The policy ensures that reported vulnerabilities are addressed efficiently and responsibly, mitigating potential risks before they can be exploited by malicious actors. It also ensures that those reporting vulnerabilities are protected and not subject to legal action.

Scope

This policy applies to all individuals who are using, accessing, or interacting with The Benecon Group, LLC’s systems, networks, and physical locations at 201 East Oregon Road, Lititz, Pennsylvania.

Reporting

Vulnerabilities should be reported directly to the company’s Information Security team rather than being disclosed publicly. Reports can be submitted through the company’s designated contact form, available on the company website, or by calling the company’s main phone number at (888) 400-4647. 

Coordination and Collaboration

Upon receiving a report, the company will, if requested by the researcher, engage in collaboration to:

  • Verify the existence and scope of the vulnerability.
  • Assess the potential impact of the vulnerability.
  • Develop an appropriate remediation strategy and timeline to mitigate the vulnerability.

Timelines

The company is committed to addressing reported vulnerabilities in a timely manner. A reasonable timeline will be established in consultation with the researcher to allow the company adequate time to resolve the issue before any public disclosure. This timeline will be determined based on the severity and impact of the vulnerability. 

Safe Harbor 

The company offers safe harbor to individuals who report vulnerabilities in good faith. This means that:

  • The company will not take legal action against researchers who responsibly report vulnerabilities.
  • The identity and contact information of the researcher will be kept confidential, unless disclosure is required by law.

 

Public Disclosure

If a vulnerability is not addressed within the agreed-upon timeframe, or if there is significant risk to users or the company, the researcher may disclose the vulnerability publicly. However, the company will make every effort to resolve the issue before such disclosure occurs.

Acknowledgements

The company acknowledges the critical role that security researchers play in enhancing the security and safety of its systems. As such, the company will recognize those who responsibly disclose vulnerabilities by providing appropriate public acknowledgment where possible, unless the researcher prefers to remain anonymous.