Pro5 Vulnerability Disclosure Program

‍

Last Updated: March 3, 2025

‍

1. Introduction

At Pro5, security is a top priority. We believe that engaging directly with the security community helps us improve our platform and better protect our users. We invite security researchers to report any potential security vulnerabilities they discover in Pro5’s products, services, or applications. Your help is vital in maintaining a secure environment for all our users.

If you believe you have discovered a security vulnerability on or within any Pro5 service, we encourage you to report it to us immediately. Please refrain from publicly disclosing any vulnerabilities until we have had a chance to investigate and remediate the issue.

‍

2. Scope

This Vulnerability Disclosure Program applies to all Pro5 websites, web applications, APIs, and related services under our control. This includes, but is not limited to:

• https://www.pro5.ai and all associated subdomains
• https://www.app.pro5.ai and all associated subdomains
• https://www.interview.pro5.ai and all associated subdomains
• https://www.api.pro5.ai and all associated subdomains
• Any public-facing Pro5 services

‍

Out of Scope:

• Third-party applications, services, or websites not owned or maintained by Pro5.
• Systems or areas for which you do not have authorized access.
• Social media platforms or public forums where Pro5 is mentioned.
• Denial of Service (DoS) attacks (e.g., attempts to flood or overwhelm our servers), user enumeration, phishing, or social engineering against Pro5 employees or users.

If you are unsure whether a system or vulnerability falls within the scope of this program, please contact us at security@pro5.ai before proceeding.

‍

3. Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly by emailing security@pro5.ai. Your report should include:

• A detailed description of the vulnerability, including steps to reproduce it.
• The specific Pro5 service, URL, or system affected.
• Any relevant screenshots, logs, or evidence supporting your findings.
• Your contact information, so that we may reach you if additional details are needed.
• If applicable, any proof-of-concept code or demonstration (exploitation details should be limited to what is necessary to prove the vulnerability without compromising sensitive data).

‍

For clarity, please use a subject line such as “Vulnerability Report: [Brief Description]” and submit your report in plaintext. If your report contains sensitive details, please consider encrypting your email with PGP and include your public key information in the message.

We will acknowledge receipt of your report within 5 business days and work diligently to investigate and remediate the vulnerability.

‍

4. Safe Harbor

Pro5 is committed to working collaboratively with the security community. If you comply with the guidelines of this program, Pro5 will not pursue legal action against you for any activities that fall under the scope of this program. In particular, you will not face judicial or law enforcement action if you:

1. Report vulnerabilities in good faith and in accordance with this program’s guidelines.
2. Refrain from accessing, modifying, or deleting data that does not belong to you.
3. Avoid actions that compromise the privacy or safety of Pro5’s users.
4. Do not exfiltrate or publicly disclose sensitive data from Pro5 systems.
5. Abide by any confidentiality provisions outlined below.

‍

5. Confidentiality

By participating in this program and submitting a vulnerability report to Pro5, you agree to treat any information regarding Pro5’s internal systems, data, or security measures as confidential(“Confidential Information”). This includes:

• All Pro5 information obtained during testing or via participation in this program.
• Any details disclosed in connection with your report.
• Any information from Pro5’s responses or communications regarding your submission.

You agree to:

• Hold Confidential Information in strict confidence and use it solely for the purpose of participating in this program.
• Not disclose Confidential Information to any third party or publicly.
• Not use Confidential Information for any purpose other than to help improve Pro5’s security.
• Promptly notify Pro5 if you believe any Confidential Information has been inadvertently disclosed.

Confidential Information does not include information that:

• Is or becomes publicly available through no fault of your own.
• Is independently developed without using Pro5’s Confidential Information.
• Is rightfully obtained from a third party without any obligation of confidentiality.

‍

6. In-Scope Vulnerability Categories

Pro5 is particularly interested in receiving reports for the following vulnerability categories:

• Sensitive data exposure (e.g., SQL injection, cross-site scripting)
• Authentication and session management issues
• Remote code execution
• Privilege escalation or unauthorized access to data
• Flaws in our AI recommendation engine that could be exploited to affect its accuracy or fairness
• Other novel vulnerabilities or security weaknesses not explicitly mentioned

‍

7. Out-of-Scope Activities

The following categories are considered out of scope and should not be targeted under this program:

• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
• User enumeration techniques.
• Attacks that rely solely on compromising a user’s personal device (unless they directly impact Pro5’s systems).
• Vulnerabilities in third-party systems not under the control of Pro5.
• Phishing or social engineering targeting Pro5 employees, users, or partners.
• Accessing publicly available data without exploiting a vulnerability.
• Any activity that violates the Pro5 Terms and Conditions or applicable law.

‍

8. Guidelines for Responsible Disclosure

When testing Pro5’s systems:

• Do Not Impact Users: Ensure that your testing does not disrupt the service for other users. Avoid any activities that could negatively affect system performance or availability.
• Do Not Exceed Authorized Access: Only test areas that are within the defined scope. Do not attempt to access, modify, or destroy data that does not belong to you.
• Provide Sufficient Detail: Ensure that your vulnerability report contains enough information for us to understand and reproduce the issue, but do not include excessive data extraction or exfiltration.
• Avoid Public Disclosure: Do not publicly disclose any vulnerability details until Pro5 has had a     reasonable opportunity to remediate the issue.
• Follow Ethical Practices: Use responsible methods in your testing, and if you inadvertently access datathat you are not authorized to view, report it immediately and do not use it.

Failure to follow these guidelines may result in Pro5 rejecting your report and, in some cases, may affect your safe harbor protections under this program.

‍

9. Rewards

Pro5 may offer recognition or bounty rewards for vulnerability reports that meet the criteria of this program. Rewards are given at Pro5’s sole discretion and based on factors such as the severity, impact, and novelty of the vulnerability. By submitting a report, you understand that any reward is not guaranteed and that Pro5 retains full discretion in determining eligibility and reward amounts. If you participate through a bug bounty partner (if applicable), you will be subject to the partner’s reward terms.

‍

10. Legal Considerations

By submitting a vulnerability report, you agree that:

• You will not use the information disclosed in your report to harm Pro5 or its users.
• You will refrain from using the vulnerability for any unauthorized purposes beyond demonstrating it.
• You will comply with all applicable laws and this program’s guidelines.
• Pro5 may share your report and your name with third parties (such as legal authorities) if required by law.
• You release Pro5 from any claims related to your participation in this program, provided you comply with the safe harbor provisions.

‍

11. Changes to This Program

Pro5 reserves the right to modify or update this Vulnerability Disclosure Program at any time without prior notice. We will communicate any significant changes via our website or through direct communication with security researchers who have previously participated. Your continued participation in the program after any changes signifies your acceptance of the updated terms.

‍

12. Contact Information

If you have any questions regarding this Vulnerability Disclosure Program or need additional guidance, please contact us at:
Email: security@pro5.ai

Thank you for helping us improve Pro5’ssecurity and for participating responsibly in our Vulnerability Disclosure Program. Your efforts help ensure that Pro5 remains a safe and trusted platform for all users.