Responsible Disclosure Policy - Lovick Diversity Career Journal

Effective date: December 19, 2025 Purpose

Provide a clear, safe, and lawful path for security researchers to report potential vulnerabilities in Lovick Diversity Career Journal’s public-facing technologies.
Minimize risk to users and systems while acknowledging and, where applicable, rewarding responsible disclosure within this policy.

In-scope systems: Lovick Diversity Career Journal public websites and services, including but not limited to [list domains, e.g., lovickdiversitycareer.com], APIs, content management systems, payment and subscription workflows, and associated third-party integrations.
Out-of-scope systems: internal networks, non-public development environments, third-party services not controlled by Lovick Diversity Career Journal, and any systems explicitly excluded in writing.

Vulnerability: a weakness in Lovick Diversity Career Journal’s software, services, or processes that could be exploited to compromise confidentiality, integrity, or availability.
Reporter: any individual or organization that follows this policy to report a vulnerability.
Safe harbor: a commitment by Lovick Diversity Career Journal not to pursue legal action against a reporter for conducting authorized vulnerability testing within the scope of this policy and in good faith.

Researchers of any level may participate, provided they comply with this policy.
Individuals under 18 should have parental or guardian consent to participate.

Authorized scope: testing must be limited to in-scope systems and must not access content or data outside the defined scope.
No harm policy: do not perform tests that could disrupt, degrade, or destroy services; do not access, modify, exfiltrate, or disclose personal data (PII) or confidential information beyond what is necessary to demonstrate the vulnerability.
Testing environment: prefer non-production or staging environments. If production testing is necessary, it must be non-destructive, read-only where possible, and performed with explicit written permission.
Non-exploitative testing: do not attempt to exploit vulnerabilities to cause harm or gain access beyond what is necessary to confirm the vulnerability.
Authentication and authorization: do not attempt to access user accounts, admin consoles, or any credentials not owned by you without explicit authorization (e.g., test accounts you create yourself).
Data handling: do not retain or exfiltrate data you do not need to demonstrate the vulnerability. If data is inadvertently accessed, stop testing and report it immediately.
Information disclosure: do not publish details of any vulnerability or test data publicly without prior coordinated disclosure with Lovick Diversity Career Journal.

How to report: report via email to calvin@lovickdiversitycareer.com. There is no security portal for submission.
Required information:
- Reporter name and contact method (email or phone)
- Affected asset(s) (URL or API endpoint)
- Summary of the vulnerability and potential impact
- Steps to reproduce (with as much detail as needed to verify)
- Expected vs. observed behavior
- Evidence: screenshots, PoC code, logs (sanitized), or video (if applicable)
- Impact assessment (e.g., data exposure, service impact, business risk)
- Any known workarounds (if applicable)
- Preferred contact times and timezone
Confidentiality: reports will be treated confidentially, shared only with personnel who need to know for triage and remediation.

Acknowledgement: Lovick Diversity Career Journal will acknowledge receipt within 3-4 business days of submission.
Case management: each report will receive a unique case number and a triage status (e.g., new, in-progress, escalated).
Triage timeline: initial assessment typically within 5-7 business days; validation and impact assessment follow within a reasonable timeframe.
Communication: the reporter will receive updates as the case progresses. The scope and remediation plan will be discussed in coordination with the reporter where feasible.
Disclosure coordination: Lovick Diversity Career Journal prefers coordinated disclosure. If a reporter requests public disclosure, Lovick will coordinate a timeline with the reporter and stakeholders.

Remediation windows (non-binding targets by severity):
- Critical vulnerabilities: fix or mitigation within 10 days
- High: 15 days
- Medium: 30 days
- Low: 45 days
Verification: once a fix is implemented, the reporter may be asked to verify the vulnerability in the updated environment.
Public disclosure: coordinated disclosure will be preferred. If a vulnerability is not resolved within the agreed timeline, Lovick Diversity Career Journal may publish a public advisory after reasonable notice to the reporter and stakeholders, subject to legal and regulatory constraints.

Safe harbor: provided the reporter adheres to this policy, conducts testing within the defined scope, and acts in good faith, Lovick Diversity Career Journal will not pursue legal action for activities conducted under this policy.
Limitations: safe harbor does not apply to activities outside the defined scope, use of social engineering, illegal activities, or any harm caused outside the policy’s guidelines.
No guarantee: this policy does not create a contract or confer any additional rights beyond what is stated here. Lovick Diversity Career Journal reserves the right to modify the policy at any time with notice.

Data minimization: do not collect or retain personal data beyond what is necessary to demonstrate the vulnerability.
Handling of sensitive data: if you must encounter test data that contains PII or sensitive information, stop testing and report the data exposure to Lovick Diversity Career Journal immediately.
Retention and deletion: any data collected during testing should be securely deleted after the case is closed, unless authorized otherwise.

If you consent to be publicly acknowledged, Lovick Diversity Career Journal may credit you in a coordinated disclosure advisory or security report.
If you prefer anonymity, Lovick Diversity Career Journal will respect that preference in public disclosures.

Researchers must not involve third parties to perform testing without prior written consent from Lovick Diversity Career Journal.
Do not attempt to compromise third-party services or partners unless explicitly within the defined scope and with approval.

This policy is governed by the laws of the United States of America and the laws of the state in which Lovick Diversity Career Journal is organized or where a breach occurs. Any disputes arising from this policy will be resolved in the appropriate courts located in [State], USA.
Please insert the appropriate state where your entity is organized (e.g., Delaware, California) and the corresponding venue.

By submitting a vulnerability report under this policy, you acknowledge and agree to adhere to the rules, scope, and safe harbor provisions described above.

Security contact: calvin@lovickdiversitycareer.com
Alternative contact: [mailing address or form URL]
Response hours: Monday–Friday, 9am–5pm EST, operating on banking holiday schedule

Use only in-scope assets; avoid others.
Do not perform denial-of-service or load-testing that could impact uptime.
Do not access or alter user accounts; do not brute-force credentials outside test accounts you create.
Do not exfiltrate or disclose user data; avoid data remnants after testing.
Prefer staging or test environments; if production testing is necessary, restrict to non-production data and obtain explicit approval.
Provide reproducible steps and evidence; use sanitized data if possible.

Version: 1.1