Reactor
Responsible Disclosure Policy
Last modified date: September 4, 2024
The security of our systems and user data is ARC Labs AG (referred to below as “ARC”) top priority. We greatly value the efforts of security researchers who act in good faith to identify and report potential vulnerabilities.
Purpose
ARC is dedicated to maintaining the ongoing security and confidentiality of its information systems and customer data. This Responsible Disclosure Policy ("Policy") is designed to provide security researchers with clear guidelines for conducting vulnerability discovery activities and to outline our recommended procedures for reporting potential vulnerabilities to ARC.
We recognize and appreciate that security researchers ("you," "your," "yours") frequently contribute to the security of information systems, including ours. We therefore welcome security researchers to responsibly disclose to us any potential vulnerabilities discovered in good faith in accordance with this Policy.
Scope of Systems
This Policy applies to all internet-facing information systems, applications, or websites owned, operated, or controlled by ARC. This includes any web or mobile applications hosted on these websites, including the ARC domain and its related subdomains (collectively, "Information Systems").
This Policy does not cover any information systems, websites, or applications owned, operated, or controlled by third parties, including service providers or contractors to ARC, even when under an ARC domain. Researchers should comply with the responsible disclosure efforts for those systems, websites, and applications.
Scope of Vulnerabilities
This Policy covers technical vulnerabilities that may exist on our Information Systems, such as misconfigurations, Cross-Site Request Forgeries (CSRF), privilege escalation attacks, SQL Injection, Cross-Site Scripting (XSS), and directory traversal attacks.
This Policy excludes the following vulnerabilities, subject to ARC’s discretion:
- General security or email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,
- Physical compromise or intrusions,
- Rate limiting or brute-force issues on non-authenticated endpoints,
- Compromises involving an insider,
- Social engineering (including phishing attempts),
- Reflected file downloads,
- Account takeovers (including brute force attacks on accounts not owned by the researcher),
- Red-teaming or adversarial testing of our models,
- Content issues with model prompts and responses,
- Denial of service attacks,
- Clickjacking on pages with no sensitive actions,
- Missing HttpOnly or Secure flags on cookies,
- Dependency hijacking, or
- Any widely publicized zero-day vulnerabilities that have no patch or have had a patch available for less than 30 days.
We also welcome reports about safety issues, “jailbreaks,” and related concerns to help us improve the safety and harmlessness of our models. Please report such issues to usersafety@arc.market with sufficient detail to allow us to replicate the issue.
How to Submit a Report
If you discover a security vulnerability in an ARC system, please promptly report it to us by emailing contact@arc.market. Include a detailed summary and any supporting details (logs, code, proofs of concept) to help us understand, validate, reproduce, and respond to the vulnerability quickly.
At a minimum, please provide:
- The type and severity of the vulnerability,
- Technical details associated with the vulnerability,
- A summary of the vulnerability,
- Steps to reproduce the vulnerability,
- URL/Location of the vulnerability,
- Proof-of-concept scripts, screenshots, screen recordings, etc.,
- The potential impact on the Information System (if applicable), and
- Any recommended remediation actions.
All reports should be well-written, focus on a single vulnerability per report, and include any plans or intentions for public disclosure. The more detailed and clear the report, the more likely we will be able to investigate and respond effectively.
Research Guidelines
While we reserve the final discretion to determine if your actions are in good faith and align with this Policy, we generally consider you to be acting in good faith if you adhere to this Policy and agree to the following:
- You are testing Information Systems solely to identify or discover a potential vulnerability or an associated indicator of a vulnerability and are reporting such information to ARC;
- You avoid causing harm to Information Systems, including data destruction, unauthorized use, access, acquisition, or disruption, and refrain from violating or compromising the privacy or security of ARC’s customers, employees, or other users;
- You avoid exploiting any vulnerability beyond what is minimally necessary to reasonably prove that such potential vulnerability exists, including avoiding access, acquisition, or use of data that could be accessible from exploiting the vulnerability;
- You avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems unless such access is inadvertent;
- You do not exfiltrate, download, or otherwise retain any data you collect. If you inadvertently access any data, you will report such access to ARC as part of your vulnerability report;
- You avoid disclosing the existence or details of the discovered vulnerability to any third party or the public until you receive prior written approval from ARC;
- You do not perform any attacks that would compromise the security or confidentiality of any account that is not your own;
- You do not perform any social engineering attacks (phishing, vishing, etc.) on any ARC employee, contractor, or representative;
- You do not, as a condition of disclosure, require payment or compensation, or make threats to disclose the vulnerability irresponsibly;
- You are not listed on the Specially Designated Nationals and Blocked Persons List published by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) or any other sanctions list, and do not reside in any country sanctioned by the U.S. Government; and
- You comply with all applicable federal, state, and local laws in connection with your research activities.
Your Expectations of ARC
All good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability, you can expect ARC to evaluate your findings promptly. If we determine (at our sole discretion) that a vulnerability exists, we will validate its existence, confirm it with you, and take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible.
If you provide your contact information, our representatives may reach out for further information. Additionally, we will:
- Protect your name and contact information and will not disclose such information without your consent unless required by legal process, law, or court order;
- Refrain from taking legal action as set forth in the Safe Harbor section below;
- Attribute your name and contribution in any public disclosure we make, with your permission, to the extent we choose to make a public disclosure;
- Acknowledge your submission within three (3) business days; and
- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.
Safe Harbor
If, in ARC's sole determination, you make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue legal action due to your research or responsible disclosure, subject to ARC’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures must be unconditional and must not involve extortion or threats.
Changes to this Policy
We reserve the right to change this Policy at any time by publishing a new policy and updating the date of the last revision. Vulnerabilities disclosed before any update to this Policy will remain subject to the Policy in effect at the time of disclosure.
