Responsible Disclosure Policy

1. INTRODUCTION

Boralex values feedback from security researchers and the public to bolster its security measures. If you’ve identified a vulnerability, privacy issue, exposed data, or other security concerns in any of Boralex’s assets, we encourage you to reach out. This policy provides a secure framework for reporting potential security flaws, ensuring a standardized approach to enhancing the safety of Boralex’s digital assets like websites, networks and online services. We urge you to thoroughly read this document and adhere to its guidelines when reporting any vulnerabilities.

While we appreciate responsible reporting, please note that Boralex does not offer financial or other incentives for such disclosures.

2. SCOPE

This policy applies to any assets owned, leased, operated, or maintained by Boralex and its group.

3. OFFICIAL CHANNELS & HOW TO REPORT

If you believe you’ve discovered a security vulnerability, please forward your findings to us via the following email: cyber-disclosure at boralex dot com.

In your submission, kindly include:

  • The specific website, IP address, or page where the vulnerability was found.
  • A concise description of the vulnerability type, such as “SQL Injection.”
  • Reproduction steps that are non-destructive and serve as a proof of concept, facilitating quicker and more accurate triage.

4. WHAT TO EXPECT

Upon receiving your report, Boralex’s Cybersecurity team aims to acknowledge it and assess its validity within the best delays. We may keep you updated on our progress, if so requested, depending on the circumstances.

Remediation priority is determined by evaluating the vulnerability’s impact, severity, and complexity of exploitation. While we strive to address reports promptly, the process may take time. Once the vulnerability you reported is resolved, we may invite you to verify that the implemented solution is effective.

We encourage coordinated public disclosure of the resolved vulnerability and welcome your participation in this process.

5. GUIDELINES

In participating in Boralex’s vulnerability disclosure program, we ask that you:

  1. Play by the rules, including following this Policy;
  2. Report any vulnerability you’ve discovered promptly;
  3. Avoid violating the privacy of others, disrupting systems, destroying data, and/or harming user experience;
  4. Avoid submitting reports of non-exploitable vulnerabilities or those that don’t align with best practices, e.g., reporting weak TLS configurations, engaging in social engineering or phishing attacks against the company’s personnel or infrastructure;
  5. Use only the Official Channels to discuss vulnerability information with us;
  6. Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;
  7. Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  8. If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), credit card data, or proprietary information;
  9. You should only interact with test accounts you own or with explicit permission from the account holder;
  10. Securely erase any data obtained during your research either when it is no longer needed or within one month after the vulnerability has been resolved; and
  11. Do not engage in extortion.

6. SAFE HARBOR

When conducting vulnerability research, according to this Policy, we consider this research conducted under this Policy to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this Policy, we may take steps to make it known that your actions were conducted in compliance with this Policy, depending on the circumstances.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our Official Channels before going any further.