Search Close Talk to Sales
Relativity
Search
Popular Links
RelativityOne
Relativity aiR
Move from on-prem to RelativityOne
Artificial Intelligence
e-Discovery
Legal Hold
Collection
Early Case Assessment
Data Breach Response
Relativity Contracts
RelativityOne Government
Proactive Security
Close

Relativity

Relativity aiR logo

Vulnerability Disclosure Policy (VDP)

Introduction

Relativity is committed to ensuring the security of our customers and protecting their data. This policy is intended to give security researchers clear guidelines for how to submit discovered vulnerabilities and what to expect from Relativity.

Reporting Security Issues

If you believe you have discovered a vulnerability or have a security concern you would like to report, please send an email to gotbugs@relativity.com. We currently do not support PGP emails. Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities related to Relativity. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Relativity, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

Best practices for reporting an issue

To help us triage and prioritize reports, please submit as much detail as possible, including:

  • The location the vulnerability was discovered
  • The potential impact of exploitation
  • The steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful)

Please also:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
  • Write in English, if possible

What you can expect from us

If you choose to share your contact information, we will communicate with you as openly and as quickly as possible. You can expect us to:

  • Acknowledge that we received your report within 3 business days
  • Confirm the existence of the vulnerability, to the best of our ability, and be as transparent as possible about the steps we are taking during the remediation process, including issues or challenges that may delay resolution
  • Categorize the vulnerability's severity based on potential impact and likelihood
  • Maintain an open dialogue to discuss issues
  • Communicate the proposed fix to you and provide an opportunity for comment

Questions & Suggestions

If you have questions about this policy or suggestions for improving it, please email gotbugs@relativity.com.

Document change history

Version

Date

Description

1.0

September 10, 2024

First issuance.