Responsible Disclosure Policy (2026 Edition)

Effective Upon Publication

Entity: BuyersRoad, Inc. d/b/a Experience.com

Address: 2010 Crow Canyon Place, Suite 100, San Ramon, CA 94583-1344, USA

Overview

At Experience.com, we recognize that the privacy and security of our customer, professional, and enterprise data are essential to the trust placed in us. Secure delivery of our services is a core company value and central to our mission of providing reliable, privacy-forward, and innovative products for users across industries.

We deeply value the efforts of security researchers and members of the broader cybersecurity community who help us identify and mitigate potential vulnerabilities. Responsible disclosure allows us to maintain a secure environment for all users and uphold the highest standards of data protection and compliance.

Guidelines

If you discover a potential security issue, please report it responsibly by following the steps below.

Reach out to us at security@experience.com (or privacy@experience.com if the report may involve personal information).

1. Submission and Validation

• Submit all potential vulnerabilities to security@experience.com.
• Experience.com will define the severity of each issue based on its potential impact and ease of exploitation.
• We may take 2–4 business days to validate a report and up to 10 business days to complete triage.
• You will be notified when the issue has been validated and when remediation is complete.

2. Testing Boundaries

• Do not attempt to access, alter, or destroy customer data or systems.
• Do not exploit vulnerabilities beyond what is necessary to demonstrate proof of concept.
• Do not use automated scanners or tools that generate large traffic loads.
• Do not conduct DoS/DDoS or spam attacks, or perform testing that disrupts production environments.
• Do not attempt to access or test identification pixels, marketing pixels, cookie consent mechanisms, or visitor-identification systems, as these involve personal data regulated under the California Privacy Rights Act (CPRA) and are explicitly out of scope for vulnerability testing.

3. Confidentiality and Publication

• Keep details of any vulnerabilities confidential until the issue is verified and resolved by Experience.com.
• Public disclosure or documentation of any finding prior to resolution is a violation of this policy.
• All vulnerability research must comply with applicable privacy and data-protection laws, including the CCPA/CPRA.
• If personal information is inadvertently accessed during research, it must be immediately reported and permanently deleted after verification.

4. Respect for Privacy

• When conducting security testing, researchers must not attempt to collect, view, or disclose personal information of customers, professionals, or visitors.
• Reports should focus on the technical vulnerability itself—not on data obtained through unauthorized access.

Scope

In-Scope Domains

• experience.com
• app.experience.com
• pro.experience.com
• voce.com
• developer.experience.com
• visitorvault.experience.com
• ai.experience.com
• api.experience.com
• cdn.experience.com
• socialsurvey.com

Additional domains or environments may be added as needed.

Qualifying Vulnerabilities

We encourage reports that demonstrate meaningful security risks, including:

• Remote Code Execution (RCE)
• SQL/XXE/Command Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF) in privileged contexts
• Server-Side Request Forgery (SSRF)
• Authentication or Authorization flaws
• Directory Traversal
• Information Disclosure (high impact)
• API or endpoint behavior exposing sensitive data
• Significant Security Misconfigurations

Out-of-Scope Vulnerabilities

The following issues are not eligible for review or recognition:

• HTML injection and Self-XSS
• Automated vulnerability scanner output
• Missing security headers or cookie flags on non-sensitive cookies
• Host header injection without exploitable impact
• Denial of Service (DoS/DDoS)
• Missing SPF/DKIM/DMARC configurations
• Open redirections, rate-limiting, brute force, or spam enumeration
• Vulnerabilities requiring man-in-the-middle or physical access
• Outdated third-party library reports without a valid proof of concept
• Vulnerabilities involving unpatched browsers or deprecated environments
• Social engineering or phishing attacks
• Vulnerabilities in third-party services or integrations

What You Can Expect from Us

Fast Response Time

We will acknowledge your submission within two (2) business days and communicate throughout the triage and remediation process.

Triage and Resolution

We will assess reported vulnerabilities and prioritize fixes based on potential impact. You will be notified when the vulnerability has been remediated or if additional details are required.

Safe Harbor

We will not pursue legal action against researchers who:

• Act in good faith and follow this policy;
• Refrain from unauthorized access, data extraction, or disruption; and
• Report vulnerabilities privately to Experience.com.

This Safe Harbor protection applies under California law and Experience.com's Terms of Use.

Any disputes or claims arising under this policy are subject to binding arbitration in California, as described in the Terms of Use.

Research Safety

We treat all submissions with confidentiality and will not share your report outside the minimal remediation team.

If you intend to present your research publicly (e.g., at a conference), please include this intent in your submission so we can coordinate disclosure timing responsibly.

What We Expect from You

• Use Your Own Data: If a vulnerability grants access to data, use your own accounts and credentials for testing. Contact us if temporary test accounts are required.
• Avoid Service Disruption: Do not engage in any activity that may degrade or disrupt Experience.com services, or affect other users' experience.
• No Social Engineering: Do not attempt to trick, phish, or manipulate employees or customers.
• Provide Quality Reports: Reports must be written in English, concise, and include clear steps to reproduce the issue, a proof of concept (PoC), and suggested remediations.
• Coordinated Disclosure: If you wish to publicly disclose a vulnerability, coordinate timing with us after the issue has been fixed or mutually agreed disclosure window has elapsed.

Severity Guidelines

Reporting Vulnerabilities

We encourage high-quality submissions that expedite triage and remediation.

Format: Reports must be submitted in Markdown (.md) format.

Include the following fields:

1. Title: One-line description of the issue.
2. Summary: Brief explanation of the vulnerability.
3. Impact: Potential business or data impact.
4. Likelihood: Assessment of probability or ease of exploitation.
5. Steps to Reproduce: Step-by-step walkthrough with a PoC.
6. Recommendations: Fix or mitigation suggestions.
7. References/Notes: Any supporting links, screenshots, or videos (.png / .mp4).

Privacy & Regulatory Alignment

Experience.com adheres to all applicable privacy and data-protection laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Security testing and disclosures that involve personal information must comply with these laws.

We will coordinate with our Privacy Office to ensure compliance with notice, remediation, and documentation obligations.

Reports that involve personal data (e.g., user identifiers, IP addresses, or visitor information) are automatically subject to internal privacy review before disclosure or resolution.

Contact Information

For vulnerability reporting or inquiries:

Email: security@experience.com

For reports that may involve personal data: privacy@experience.com

Mail:

BuyersRoad, Inc. d/b/a Experience.com

2010 Crow Canyon Place, Suite 100

San Ramon, CA 94583-1344, USA

Related Policies

• Privacy Notice (2026 Edition)
• Terms of Use
• Cookie Policy
• Do Not Sell or Share My Personal Information
• Accessibility Statement
• Trust Center