pi hr logo
Request a Demo

Vulnerability Disclosure Policy

Table of Contents

  1. Introduction
  2. Scope
  3. How to Report a Vulnerability
  4. What to Expect
  5. Guidelines for Responsible Disclosure
  6. Safe Harbour
  7. Out of Scope
  8. Contact
  9. Review and Maintenance
  10. Enforcement
  11. Reference Documentation
  12. Policy Amended or Withdrawn
  13. Document Control
  14. Revision History

1. Introduction

HireRoad is committed to maintaining the security and privacy of our customers’ data. We value the contributions of the security community and encourage responsible disclosure of potential vulnerabilities in our systems.

2. Scope

This policy applies to all publicly accessible services and systems operated by HireRoad, including web applications, APIs, and cloud-hosted services. This policy does not grant permission to test systems outside the defined scope.

3. How to Report a Vulnerability

If you believe you have discovered a security vulnerability in a HireRoad product or service, please report it to us by emailing security@hireroad.com. Include as much detail as possible to help us understand and reproduce the issue.

4. What to Expect

  • We will acknowledge your report within 5 business days.
  • We will provide regular updates on the status of the investigation.
  • We will notify you when the vulnerability has been resolved.
  • We may offer public thanks or credit for valid findings (with your permission).

5. Guidelines for Responsible Disclosure

  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
  • Do not access, modify, or delete data belonging to others.
  • Do not publicly disclose the vulnerability before it has been addressed.
  • Do not use automated scanning tools or attempt denial of service attacks.

6. Safe Harbour

If you act in good faith and in accordance with this policy, we will not initiate legal action against you. We consider such activity to be authorised access and exempt from breach or hacking laws, provided it remains within this policy’s scope.

7. Out of Scope

  • Social engineering attacks (e.g., phishing)
  • Physical security vulnerabilities
  • Denial of service (DoS) attacks
  • Vulnerabilities in third-party systems not under our control

8. Contact

All vulnerability reports should be sent to: security@hireroad.com

9. Review and Maintenance

This policy will be reviewed on an annual basis or in response to significant system changes. Reviews will ensure that the policy continues to meet business needs, ISM requirements, and reflects the current technology landscape. Version history and reviews will be recorded in the ISMS documentation register.

10. Enforcement

Compliance with this policy is mandatory. Breach of any part of this policy may result in disciplinary action up to and including dismissal and/or the involvement of law enforcement.

11. Reference Documentation

This policy should be read in conjunction with the following supporting documentation:

  • ISM-1616: Implement a Vulnerability Disclosure Program
  • ISM-1755: Develop a Vulnerability Disclosure Policy
  • ISM-1756: Define Vulnerability Disclosure Procedures
  • ISM-1717: Publish a security.txt File
  • HR – Security Incident & Actions Procedure

12. Policy Amended or Withdrawn

This policy can be amended or withdrawn at any time at the sole discretion of HireRoad. To ensure our policies remain updated and contemporary, changes will be made from time to time. Team members will be advised of and communicated with about any changes in a timely manner.

13. Document Control

Data Classification: OFFICIAL – COMMERCIAL IN CONFIDENCE
Document Owner: John Baker
Document Approver: ISMS Owner
Date of Next Review: April 2026

14. Revision History

Version Date of revision Updated by Description of change Approval reference
0.1 2024-04-13 John Baker, HireRoad Document Creation.