READINESSOS

Policy: Vulnerability Disclosure Policy

Version: 1.0

Effective Date: 06/06/2026

Last Updated: 06/06/2026

Contact: ReadinessOS@proton.me

1. Document Purpose

This Vulnerability Disclosure Policy establishes the process by which security researchers, customers, users, and third parties may responsibly report suspected security vulnerabilities affecting the ReadinessOS platform.

The objective of this policy is to improve platform security through responsible collaboration while protecting users, infrastructure, and operational data.

ReadinessOS encourages good-faith security research conducted in accordance with this policy.

2. Scope

This policy applies to:

• Web applications
• Mobile applications
• APIs
• Authentication systems
• User accounts
• Vessel accounts
• Future fleet accounts
• Readiness Passport services
• AI-assisted services
• Platform infrastructure
• Future enterprise integrations

3. Definitions

For the purposes of this policy:

Security Vulnerability means a weakness that could reasonably allow unauthorized access, disclosure, modification, disruption, or destruction of platform resources or data.

Security Researcher means an individual or organization acting in good faith to identify and responsibly disclose security issues.

Responsible Disclosure means privately reporting a vulnerability to ReadinessOS before public disclosure.

4. Security Philosophy

ReadinessOS recognizes that responsible security research contributes to a safer platform.

Constructive collaboration between researchers and platform operators benefits the entire ReadinessOS community.

Good-faith reporting is encouraged.

5. Reporting a Vulnerability

Suspected vulnerabilities should be reported through:

[ReadinessOS@proton.me](mailto:ReadinessOS@proton.me)

Reports should include sufficient information to reasonably reproduce and investigate the issue.

Where practical, reports should include:

• Description of the issue
• Steps to reproduce
• Affected functionality
• Screenshots if applicable
• Proof-of-concept where appropriate
• Potential impact

6. Good-Faith Research

ReadinessOS supports good-faith research conducted for the purpose of improving platform security.

Researchers should avoid actions that unnecessarily disrupt platform operation or expose user information.

Good-faith testing should remain proportionate and limited.

7. Prohibited Activities

Researchers shall not:

• Access data belonging to other users
• Exfiltrate personal information
• Modify platform data
• Destroy information
• Interrupt platform availability
• Conduct denial-of-service attacks
• Deploy malware
• Install persistent access mechanisms
• Circumvent payment systems
• Abuse authentication systems
• Conduct social engineering attacks against personnel

Such actions may result in legal or administrative action.

8. Privacy Protection

Researchers discovering access to personal information should immediately cease testing and report the issue without further access.

Personal information should not be copied, distributed, retained, or publicly disclosed.

ReadinessOS prioritizes the protection of user privacy during vulnerability investigations.

9. Investigation Process

Upon receiving a vulnerability report, ReadinessOS may:

• Acknowledge receipt
• Investigate the issue
• Validate the report
• Prioritize remediation
• Coordinate with infrastructure providers
• Deploy corrective measures
• Request additional information where necessary

Investigation timelines may vary depending upon complexity and severity.

10. Public Disclosure

Researchers are encouraged to allow ReadinessOS reasonable time to investigate and remediate vulnerabilities before public disclosure.

Premature public disclosure may increase risk to users and platform security.

ReadinessOS may coordinate responsible disclosure where appropriate.

11. Recognition

ReadinessOS may acknowledge responsible security researchers where appropriate.

Recognition remains discretionary and may include:

• Thank-you communications
• Security acknowledgments
• Future recognition programs

ReadinessOS does not currently operate a bug bounty program unless separately announced.

12. No Authorization Beyond Policy

Nothing within this policy authorizes researchers to:

• Access confidential information
• Bypass authentication
• Test production systems excessively
• Perform destructive testing
• Interfere with user accounts
• Violate applicable law

Testing remains limited to responsible, proportionate activities.

13. Third-Party Services

Some vulnerabilities may involve third-party providers including:

• Cloud providers
• Authentication providers
• AI providers
• Payment processors
• Email providers
• Infrastructure providers

ReadinessOS may coordinate with such providers where necessary to facilitate remediation.

14. Legal Considerations

Researchers remain responsible for complying with applicable laws.

Nothing in this policy grants immunity from unlawful conduct.

ReadinessOS reserves all legal rights regarding malicious activity or unauthorized access.

15. Limitation of Liability

ReadinessOS does not guarantee compensation, rewards, or contractual rights arising from vulnerability reports unless expressly agreed in writing.

Submission of a report does not create an employment, consulting, or commercial relationship.

16. Relationship to Other Policies

This policy should be interpreted together with:

• Terms of Service
• Platform Security Policy
• Acceptable Use Policy
• Privacy Policy
• Data Processing Agreement (DPA)
• API & Third-Party Integration Policy
• Account Suspension and Fraud Policy

Where conflicts exist regarding personal information processing, the Privacy Policy shall govern.

17. Policy Updates

ReadinessOS may revise this policy as platform architecture, security practices, infrastructure providers, or legal requirements evolve.

Updated versions become effective upon publication unless otherwise specified.

18. Revision History

END OF DOCUMENT