Vulnerability Disclosure Policy

Purpose 

Ross Video Limited (“Ross Video”) recognizes and appreciates the efforts of security researchers and ethical hackers who act in good faith to improve the safety of technology systems across the internet. This Vulnerability Disclosure Policy (VDP) is intended to provide clear guidance on how to submit security vulnerability reports to Ross Video and the terms under which those reports will be accepted, reviewed, and acted upon. 

This Policy also clarifies Ross Video’s expectations and boundaries concerning the responsible identification and disclosure of potential security weaknesses in its digital assets. If you are a security researcher or otherwise fall within the scope of this Policy, WE ASK THAT YOU READ AND FULLY UNDERSTAND THE TERMS OUTLINED BELOW BEFORE ENGAGING WITH OUR SYSTEMS. 

Ross Video’s Commitment to Security 

Ross Video maintains a comprehensive vulnerability management programme that includes: 

1. Regular and systematic internal vulnerability scans of in-scope production and development environments; 

1. Ongoing engagement with reputable third-party penetration testing firms to assess and validate the effectiveness of our security controls; 

1. A structured and documented process for risk assessment, remediation, and verification of all validated security issues. 

This Policy is not an admission of imperfection. It is a reflection of reality: no system is ever truly “done” when it comes to security, and responsible external reporting can be a valuable part of a strong security lifecycle – when done correctly.   

This policy is intended solely as a guide for responsible disclosure and does not create any legally binding obligations or rights, express or implied, on the part of Ross Video or any other party 

Who This Policy Is For 

This Policy is directed at ethical security researchers – sometimes known as “white hat” hackers – who, acting in good faith and without malice, wish to report potential vulnerabilities in Ross Video’s systems. 

If you are engaged in unsolicited, unauthorized, or malicious activity, you are not covered by this Policy, and Ross Video reserves all rights and remedies under applicable law. 

Rules of Engagement 

By choosing to report a vulnerability under this Policy, you are agreeing – without exception or condition – to the following terms: 

1. Lawful Conduct Is Mandatory

You must comply with all applicable laws when investigating or reporting vulnerabilities, including: 

• United States: Computer Fraud and Abuse Act, 18 U.S.C. § 1030 

• Canada: Criminal Code, R.S.C., 1985, c. C-46, Section 342.1 

Ross Video does not offer safe harbour for activities that violate any applicable local, provincial, state, federal, or international laws. The act of submitting a vulnerability does not immunize you from prosecution or legal action if your conduct contravenes applicable laws. 

If you break the law, Ross Video retains the right to respond in a way that best protects its interests. 

2. Conditional Safe Harbour

If you comply with this Policy in good faith and within the bounds of applicable law, Ross Video commits not to initiate legal action against you solely for the act of reporting a discovered vulnerability. 

This safe harbour does not apply to actions that: 

1. Breach the terms of this Policy; 

1. Compromise user data; 

1. Cause intentional disruption or damage; 

1. Violate third-party rights or applicable law. 

3. No Payment Without Offer

Ross Video does not operate a public bug bounty or payment programme for unsolicited vulnerability disclosures. 

If we choose – at our sole discretion – to offer any form of remuneration for your findings, that will be communicated by us, voluntarily, and in writing. If no such offer is made, you are to presume that no payment will be provided. By submitting a vulnerability under this Policy, you acknowledge this condition and waive any future claims for compensation, reward, or recognition unless Ross Video has explicitly offered it in advance. 

Do not solicit payment. Do not attempt to negotiate payment. If that’s your intent, do not contact us. 

4. Permitted Scope and Prohibited Activities

You may only test and report vulnerabilities on assets that are: 

1. Public-facing; 

1. Owned and operated by Ross Video; 

1. Not otherwise covered by confidentiality or access controls. 

Prohibited activities include: 

1. Exploiting any vulnerability beyond what is necessary to demonstrate the risk; 

1. Accessing, downloading, or altering any data that is not your own; 

1. Introducing malware or other harmful artefacts; 

1. Social engineering of Ross Video staff; 

1. Running automated scanners or brute-force tools; 

1. Attempting access to internal networks or administrative interfaces. 

5. How to Report a Vulnerability

If you have identified a potential vulnerability and wish to report it to Ross Video, you must submit your report exclusively to: 
security@rossvideo.com 

This is the only accepted method of submission. Any reports sent through alternate channels – including social media, personal emails, support tickets, or public forums – will be treated as junk or spam and deleted without review. 

Reports should include: 

1. A clear and detailed description of the issue; 

1. Steps to reliably reproduce the vulnerability; 

1. The potential security impact, if known; 

1. Relevant artefacts (e.g. screenshots, logs), appropriately redacted; 

1. Your contact information (pseudonyms are accepted, provided we can reach you). 

6. Secure Submission Option

For sensitive or high-impact vulnerabilities, researchers may request a PGP key to encrypt submissions. To initiate this process, email security@rossvideo.com with the subject line: “PGP Request – VDP” 

7. What You Can Expect From Us

If your report meets the conditions of this Policy and is submitted in good faith: 

1. You will receive an acknowledgement within seven (7) business days; 

1. We will validate the issue and assess its severity; 

1. Where applicable, remediation will be prioritized within our internal risk management framework; 

1. You may receive follow-up communication for clarification; 

1. We will notify you once the issue has been resolved. 

Public acknowledgment of your contribution shall be at the discretion of Ross Video and will be only with your explicit written consent.  

8. Disclosure Coordination

Ross Video requires that you give us a reasonable opportunity to investigate and remediate vulnerabilities before any public disclosure. Failure to do so may: 

1. Expose our users or systems to preventable risk; 

1. Undermine resolution efforts; 

1. Void your standing under this Policy; 

1. Result in legal consequences, depending on timing and manner of disclosure. 

Responsible disclosure means acting responsibly – not just reporting responsibly. 

Policy Updates 

Ross Video may update this Policy at any time. Future versions will be posted at rossvideo20dev.wpengine.com/vdp and include a changelog or revision history. 

Final Word 

Ross Video values transparency, accountability, and collaboration in maintaining the integrity of its systems. We welcome good-faith engagement with the security research community – but not at the expense of legality, ethics, or operational risk. 

If you cannot accept these terms in full, do not engage with our systems. 

If you can accept them and wish to disclose a vulnerability, please contact: 
security@rossvideo.com 

We thank those researchers who act with integrity and professionalism – and we will continue to maintain a security posture worthy of their efforts.