Vulnerability Disclosure Policy

At GMI Holdings Inc., dba The Genie Company (“Genie”), the security of our systems and the privacy of our users are top priorities. We are committed to maintaining a secure environment and value the contributions of security researchers and members of the public.

The Genie IT Security incident response team is responsible for evaluating reported vulnerabilities impacting our products. Once a report has been submitted, we will work to validate the reported vulnerability. Our team may need to contact you if additional information is required to validate or reproduce the issue.

• Scope:

  • This policy applies to: All products manufactured by Genie and all public-facing systems and services owned, operated, or controlled by Genie.\

• Reporting a Vulnerability:

  • If you identify a security vulnerability in any Genie product, we ask you to report it as soon as possible. Timely identification and reporting of security vulnerabilities is critical to mitigating potential risks to our customers.

  • To submit a vulnerability report, visit our website <insert appropriate link>.  Select “Contact Us”, then “Report a Vulnerability”, or click here.

  • If you have any questions regarding vulnerabilities or vulnerability reporting, contact us at InfoSec@Overheaddoor.com.

• Handling and Response Process:

  • When you report a vulnerability in good faith and in accordance with this policy, we will:

    • Acknowledge receipt of your report within 5 business days.

    • Assess the report for validity and assign a risk severity rating based on our risk assessment methodology.

    • Appropriately remediate the issue within a reasonable timeframe based on its severity.

    • Document the incident and update our records.

• Guidelines for Good Faith Security Research and Disclosure:

  • All vulnerability research must be conducted in good faith. This means:

    • You will follow this policy and any other relevant agreements you have with us.

    • Your research must consist exclusively of good faith testing, investigation, or correction of a security flaw, with the primary goal of promoting the safety of a Genie product or online service.

    • You will not violate Genie’s customers’ security and privacy, and will not harm individuals or the public.

    • Your research will proceed only as far as necessary to demonstrate or clarify the security issue, and no further.

    • If a vulnerability provides unintended access to data, you will limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept. You will notify Genie of any sensitive data you accessed and you will cooperate with Genie on the proper destruction of any sensitive data that was inadvertently accessed or cached.

    • You will report the findings of your research to us within 72 hours of determining a potential security concern.

    • You will allow us a reasonable time to resolve the issue before any public disclosure.

    • You must comply with all applicable laws.

    • No extortion or harassment is permitted.

• Public Notification:

  • If applicable, Genie will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

  • To protect our customers, Genie requests that you do not share information about potential vulnerabilities in any public setting until we have addressed the vulnerability and informed customers if necessary. Additionally, we respectfully ask that you do not post or share any data belonging to our customers.

  • Please note that the time required to mitigate a vulnerability depends on the severity of the vulnerability and the affected systems.

• Out of Scope:

  • The following actions, if performed by you or a member of your team, are not in scope:

    • Denial of service (DoS/DDoS) attacks.

    • Introducing malicious software, spoofing, manipulation, monitoring

    • Social engineering or phishing.

    • Physical security attacks.

    • Use of outdated browsers or plugins.

    • Use of web scrapers or other tools to collect sensitive information.

    • Port, protocol, and request flooding.

    • Stunt hacking.

• Safe Harbor:

  • If you act in good faith and comply with this policy:

    • We will not pursue legal action

    • We will consider your actions authorized;

    • We may publicly acknowledge your contribution (with your consent); and

    • We will take steps to make known that you conducted good faith security research if someone else brings legal action against you.