Security / Responsible Disclosure

ROCKART INC. is committed to maintaining the security and integrity of its website, digital infrastructure, and related technologies.
We take reasonable and appropriate measures to protect the confidentiality, integrity, and availability of our systems and digital assets, and we seek to address potential security vulnerabilities in a responsible and timely manner.
Rockart welcomes good-faith reports from security researchers and members of the community who identify potential vulnerabilities and are willing to disclose them responsibly in accordance with this Policy.

This Responsible Disclosure Policy applies solely to:
— The website located at rockart.inc
— Publicly accessible digital assets, domains, and subdomains owned or operated by ROCKART INC.
-Online services and systems that are directly owned and controlled by Rockart
This Policy does not apply to:
— Third-party services, platforms, software, or infrastructure
— External integrations, APIs, or embedded tools not owned or controlled by Rockart
— Systems operated by partners, vendors, or affiliates unless expressly stated
Vulnerabilities identified in third-party systems should be reported directly to the respective provider in accordance with their applicable policies.
Nothing in this Policy shall be construed as extending Rockart’s responsibility to systems outside its ownership or control.

If you believe you have identified a potential security vulnerability within the scope of this Policy, please notify us promptly by sending an email to:
Email: security@rockart.inc
Subject Line: “Security Vulnerability Report”
To assist us in evaluating and investigating the issue, please include, where possible:
— A clear and detailed description of the vulnerability
— The affected URL, system, domain, or feature
— Step-by-step instructions to reproduce the issue
— Non-destructive proof-of-concept information (if applicable)
— Your name and contact information
We request that vulnerability reports be submitted in good faith and that you refrain from publicly disclosing the vulnerability or sharing it with third parties until Rockart has had a reasonable opportunity to investigate and remediate the issue.
Nothing in this section authorizes testing beyond the scope defined in this Policy.

When conducting security research within the scope of this Policy, you agree to act in good faith and in a manner that minimizes risk to users, systems, and data.
In particular, you agree to:
— Act in good faith and avoid violating the privacy or rights of others
— Avoid disrupting services, impairing availability, or degrading user experience
— Not access, modify, delete, exfiltrate, or otherwise misuse data that does not belong to you
— Limit testing strictly to what is reasonably necessary to demonstrate the existence of a vulnerability
— Not exploit a vulnerability for personal gain, competitive advantage, or malicious purposes
— Not conduct denial-of-service attacks, brute-force attacks, automated exploitation attempts, or social engineering activities
— Not attempt to bypass authentication or authorization controls except to the minimal extent necessary to validate a reported issue
Testing must be limited to your own accounts, data, and environments and must not adversely affect other users, systems, or data.
Failure to comply with these guidelines may result in the loss of safe harbor protections under this Policy.

Provided that you comply in full with this Responsible Disclosure Policy, act in good faith, and limit your activities to those reasonably necessary to identify and report a security vulnerability within the defined scope, Rockart will not initiate legal action against you for security research activities conducted in accordance with this Policy.
This Safe Harbor applies only to actions that:
— Are carried out in good faith
— Are consistent with the Scope and Responsible Research Guidelines set forth in this Policy
— Are intended solely to identify and responsibly disclose security vulnerabilities
This Safe Harbor does not apply to activities that:
— Violate applicable laws or regulations
— Involve unauthorized access beyond what is reasonably necessary to validate a vulnerability
— Involve data theft, data exfiltration, extortion, ransom, or unauthorized disclosure of information
— Disrupt services, impair system availability, or cause harm to users or systems
— Exploit vulnerabilities for commercial advantage, personal gain, or malicious purposes
— Involve social engineering, physical intrusion, or testing outside the defined scope
Nothing in this Policy shall be construed as granting immunity from legal action for conduct that falls outside the protections expressly described herein.

Rockart does not currently operate a public bug bounty or vulnerability reward program.
Submission of a vulnerability report under this Policy does not create any entitlement to compensation, payment, reward, or other consideration, unless expressly agreed in a separate written agreement executed by an authorized representative of ROCKART INC.
Nothing in this Policy shall be construed as creating a contractual obligation, partnership, agency relationship, or expectation of remuneration.
Rockart reserves the right, in its sole discretion, to determine whether to provide acknowledgment, recognition, or compensation in individual cases.

If a reported vulnerability relates to a third-party system, platform, service, infrastructure provider, or integration that is not owned or directly controlled by ROCKART INC., Rockart may, at its discretion, coordinate with the relevant third-party provider where appropriate.
However, Rockart does not control and does not assume responsibility or liability for the security, availability, or remediation of vulnerabilities in systems not owned, operated, or directly controlled by the Company.
Security issues affecting third-party systems should be reported in accordance with the respective provider’s security or responsible disclosure policies.
Nothing in this Policy shall be construed as extending Rockart’s Safe Harbor protections or remediation obligations to third-party systems.

Upon receipt of a vulnerability report submitted in accordance with this Policy, Rockart will, in its discretion:
— Acknowledge receipt of the report within a reasonable timeframe
— Review, assess, and, where appropriate, validate the reported vulnerability
— Determine the appropriate course of action based on severity, risk, and technical impact
— Communicate with the reporting party as reasonably appropriate during the review process
Remediation timelines may vary depending on factors including, but not limited to:
— The severity and exploitability of the vulnerability
— Technical complexity
— Operational considerations
— Dependencies on third-party systems
Nothing in this section shall be construed as creating a binding obligation to implement specific corrective measures within a defined timeframe.

Nothing in this Security & Responsible Disclosure Policy shall be construed as:
— A waiver of any legal rights, defenses, or remedies available to ROCKART INC.
— A legally binding agreement or contractual undertaking
— A guarantee of response, remediation, or resolution within any specific timeframe
— An obligation to implement any particular corrective measure or system modification
This Policy does not expand, modify, or limit any rights or obligations set forth in the applicable Terms of Use or other legal notices published on the Website.
Rockart expressly reserves all rights under applicable laws and regulations.

Rockart may amend, revise, or update this Security & Responsible Disclosure Policy from time to time to reflect:
— Changes in applicable laws or regulatory guidance
— Updates to security practices or internal governance procedures
— Technical or operational developments
Any updated version of this Policy will be published on the Website with a revised “Effective Date.”
Where appropriate, material updates may be accompanied by additional notice mechanisms.
Continued use of the Website following publication of an updated Policy constitutes acknowledgment of the revised version.