SCOPE
Document scope
Public AdaptOrch web properties, SaaS application, documented APIs, and security contact channels, unless explicitly excluded.
Status: first operational draft, pending legal review. It must be reviewed by counsel, the privacy owner, and the security owner before it is published as a binding policy or attached to a signed enterprise agreement.
§ 01
How to report
Send reports to ict03@rfems.com with a clear description, affected URL/API, reproduction steps, impact, timestamps, and your preferred contact information.
Do not disclose the vulnerability publicly until AdaptOrch has had a reasonable opportunity to investigate and remediate.
§ 02
Authorized research
Good-faith testing is welcome when it avoids privacy violations, service disruption, data destruction, persistence, social engineering, spam, physical attacks, or denial-of-service testing.
If you accidentally access customer data, stop immediately, avoid further access or disclosure, and report the issue with minimal evidence necessary for validation.
§ 03
Response targets
AdaptOrch aims to acknowledge credible reports within 3 business days, triage severity within 7 business days, and provide status updates for high-impact findings until closure.
Timelines may vary depending on severity, third-party provider dependencies, and customer impact.
CONTACT
Questions and updates
For support questions, contact ict03@rfems.com. For security reports, contact ict03@rfems.com. For privacy requests, contact ict03@rfems.com.