Panopto Responsible Vulnerability Disclosure Program

Panopto has established this Responsible Vulnerability Disclosure Program (“Program”) for individuals to report security-related issues associated with any Panopto website, product, software, platform, or service including the hosted service (collectively, “Panopto Services”) to us. If you believe you have found a vulnerability or issue and would like to participate in our Program, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept (“Report”). Please send your Report to responsible.disclosure@panopto.com.

Once you submit a Report to us, please allow our team a reasonable amount of time to investigate and respond to your Report and to correct the issue if the vulnerability described in your Report is verified and the correction is deemed appropriate by Panopto. We truly appreciate your efforts, and we may reward participants for helping us out. All Reports are subject to the terms and conditions (“Terms”) of our Program, set forth below, and with the Terms of Service published on panopto.com.

Eligibility

The Program is open to individuals who are 18 years of age or older. The Program is void where prohibited or restricted and is subject to applicable laws. Panopto shall have the right at any time to change or discontinue any aspect or feature of the Program. Contacting or attempting to directly engage Panopto or any Panopto employees or representatives outside of this Program will disqualify you from participation in this Program.

Scope

We invite and welcome Reports on any security-related issue or vulnerability that you may find. However, please do not resort to phishing, spamming, denial of service attacks, use of malicious software, or any other questionable methods that may harass our employees or users, compromise our data, generate significant volumes of traffic, or cause disruption to Panopto Services. In addition, please do not submit Reports on vulnerabilities identified by automated vulnerability scanning tools, unless you have a working proof-of-concept or reason to believe that the issue is exploitable. You represent that your submission of a Report will not infringe, misappropriate, or violate any third party’s intellectual property rights or rights of publicity or privacy, or result in the violation of any applicable law or regulation.

Ownership and Incentive

Any Report that you submit to us will become our property, and we are under no obligation to act on a Report. However, if we do act on a Report, we may in our sole discretion extend non-monetary compensation (“Reward”) to you as a gesture of our appreciation. We currently do not offer monetary rewards. You are responsible for any applicable taxes and any expenses, costs, or fees associated with your participation in the Program and any Reward you may receive.

Warranty and Liability Disclaimers

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOUR PARTICIPATION IN THE PROGRAM AND USE OF ANY REWARD IS AT YOUR SOLE RISK. PANOPTO EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. PANOPTO SPECIFICALLY DISCLAIMS ANY AND ALL LIABILITY RESULTING FROM YOUR PARTICIPATION IN THE PROGRAM OR USE OF ANY REWARD.

Final Note

We ask that you follow the principles of responsible disclosure and give the Panopto security team a reasonable amount of time (and in no case less than 90 days) to respond to and correct the submitted issue before you make it public. We ask you to remain open in communication with us regarding any public disclosure so that we’re in agreement on the report and timelines.