Effective Date: January 1, 2026

Introduction

At Wireless Horizon Inc., we are committed to maintaining the highest standards of security for our users, customers, and systems. We value the contributions of security researchers and the broader community in helping us identify and address potential vulnerabilities. This Responsible Vulnerability Disclosure Policy (VDP) provides clear guidelines for researchers to report security issues in a safe and collaborative manner.

We encourage ethical security research and responsible disclosure. By following this policy, you help us protect our users while we work together to resolve issues promptly.

Authorization and Safe Harbor

If you conduct security research in good faith and comply with this policy, we consider your activities authorized. Wireless Horizon, Inc. will not pursue legal action against you for such research, nor will we recommend or support actions by third parties. We will work with you to understand and remediate the issue.

Good faith compliance includes:

- Reporting vulnerabilities privately to us before public disclosure.

- Avoiding actions that could harm users, systems, or data (e.g., no privacy violations, data destruction, or service disruptions).

- Limiting testing to confirming the vulnerability's existence without exploiting it further.

Should any third-party legal action arise from your compliant research, we will make this authorization known to support you.

Guidelines for Researchers

To ensure productive collaboration, please adhere to these principles:

- Notify us as soon as possible after discovering a vulnerability.

- Provide sufficient details to reproduce the issue, but stop testing once the vulnerability is confirmed.

- Do not access, modify, or exfiltrate unnecessary data, including personally identifiable information (PII).

- Avoid high-volume, low-quality reports or automated scanning that could disrupt services.

- Give us reasonable time (e.g., up to 90 days) to investigate and resolve before any public disclosure.

- If you encounter sensitive data, cease testing immediately, notify us, and do not share it.

Unauthorized activities include:

- Denial-of-service (DoS) attacks.

- Physical security testing, social engineering (e.g., phishing), or non-technical methods.

- Posting malicious software or degrading system performance.

- Publicly disclosing vulnerabilities without our consent.

Scope

This policy applies to all Wireless Horizon Inc.-owned and operated systems, websites, applications, and services accessible via the internet.

Specific inclusions:

- Our primary domains: www.wirelesshorizoninc.com

Exclusions:

- Third-party services or vendors (report directly to them per their policies).

- Any systems not explicitly listed—contact us first if unsure.

We may expand this scope over time and will update the policy accordingly. If a system is out of scope but you believe it warrants testing, please reach out for discussion.

Reporting a Vulnerability

Submit reports via email to gavin.lemons@wirelesshorizoninc.com. Submissions are welcome; we do not require personal information, though providing contact details allows us to follow up.

Include in your report:

- A clear description of the vulnerability, including location (e.g., URL, endpoint) and potential impact.

- Steps to reproduce, with proof-of-concept (PoC) code, screenshots, or logs if applicable.

- Any supporting evidence (e.g., HTTP requests/responses).

- Your preferred method for communication (if not anonymous).

We prefer reports in English and support encrypted submissions. Do not include sensitive data in initial reports.

For highly sensitive issues, use our HTTPS-secured form to minimize risks.

Our Response Process

We commit to handling reports professionally and transparently:

- Acknowledgment: Within 3 business days of receipt.

- Validation and Triage: We'll assess the report, confirm the vulnerability, and prioritize based on severity (e.g., using CVSS scoring).

- Updates: Regular communication on progress, including any challenges or delays.

- Resolution: Aim to fix critical issues within 30 days, others within 90 days. We'll involve you in verification if appropriate.

- Public Disclosure: After resolution, we may publish a security advisory with your credit (if desired). We encourage coordinated disclosure.

If the vulnerability affects multiple parties, we may share anonymized details with entities like CISA for broader coordination.

Document Change History
 V.1 | 2025-12-30
 1.0     December, 30, 2025 | Initial publication.

 

Questions and Updates

For questions about this policy, contact security@wirelesshorizoninc.com. We review and update this policy annually or as needed.
By publishing this policy, we aim to foster a collaborative security ecosystem. Thank you for helping us stay secure!

Public-Facing Responsible Vulnerability Disclosure Policy