Discuss Requirement

Security

Security Policy & Vulnerability Disclosure

Last updated: May 23, 2026

1. Purpose and Scope

Cornerstone Systems Group ("CSG") welcomes good-faith security research that helps us protect the systems we operate and the information entrusted to us. This policy sets out how to report a suspected vulnerability, what we will do when we receive a report, and the conditions under which researchers may rely on our good-faith handling of their submissions.

This policy applies to the public-facing properties listed in Section 5. It does not apply to systems operated by third parties or to systems CSG accesses solely as a customer.

2. How to Report a Vulnerability

Reports may be submitted by email to security@cornerstonesystemsgroup.com. The corresponding machine-readable disclosure file is published at /.well-known/security.txt in conformance with RFC 9116.

Please include, where possible: a description of the vulnerability, the affected URL or component, reproduction steps, and any proof-of-concept material. We accept reports in English. Encrypted submissions are supported when a public PGP key is published; the current key URL (when available) is referenced from the Encryption field of the security.txt file linked above.

3. Our Commitments

When we receive a report submitted in good faith, CSG will:

  • Acknowledge receipt within a reasonable period after the report is reviewed.
  • Investigate the report and validate the issue.
  • Communicate progress at intervals appropriate to the severity of the issue.
  • Coordinate public disclosure with the reporter where applicable.
  • Not pursue legal action against researchers acting consistent with this policy.

CSG does not currently operate a paid bug bounty program. No monetary compensation is offered for reports. Public acknowledgment may be offered at the reporter's request — see Acknowledgments.

4. Safe-Harbor Statement

Security research conducted in accordance with this policy is considered authorized conduct. CSG will not pursue or support legal action under the U.S. Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Digital Millennium Copyright Act (17 U.S.C. § 1201), or analogous state laws against researchers who, in good faith and consistent with this policy:

  • Make a good-faith effort to avoid privacy violations, degradation of user experience, disruption of production systems, and destruction or manipulation of data.
  • Stop testing and submit a report immediately upon discovery of any data that is sensitive or that exceeds the scope of testing necessary to demonstrate the vulnerability.
  • Do not exploit identified vulnerabilities beyond what is necessary to confirm the issue exists.
  • Do not disclose the vulnerability publicly or to third parties prior to coordinated disclosure with CSG.
  • Comply with all applicable U.S. federal, state, and local laws.

This statement reflects CSG's intent and does not waive any third-party rights or modify any contractual obligations CSG owes to its customers, clients, or partners. Research that falls outside this policy may be subject to applicable legal consequences. Where this policy conflicts with the terms of a specific engagement, the terms of the engagement govern.

5. In Scope

The following property is in scope for this policy:

  • cornerstonesystemsgroup.com and all subdomains under direct CSG control.

6. Out of Scope

The following classes of submission are out of scope and will not be accepted under this policy:

  • Reports generated by automated scanners without manual validation.
  • Findings limited to missing best-practice headers or weak cipher suite advisories without a demonstrated impact.
  • Self-XSS, clickjacking on pages without sensitive actions, and CSRF on unauthenticated forms.
  • Denial of service attacks, volumetric testing, brute force, or any test that materially impacts service availability for other users.
  • Social engineering of CSG personnel, customers, or partners.
  • Physical security testing of CSG facilities or personnel.
  • Vulnerabilities in third-party services not under CSG's direct control (e.g., Cloudflare, Resend, hosting providers). Please report these directly to the upstream vendor.

7. Coordinated Disclosure

CSG follows a coordinated disclosure model. Where a confirmed vulnerability is reported, we work with the reporter to determine an appropriate public disclosure timeline. Where the vulnerability affects third-party systems CSG depends on, we coordinate disclosure with the relevant upstream party prior to any public statement.

Reporters who wish to publish independent write-ups are asked to coordinate timing with CSG so that any remediation is in place at the time of publication.

8. Compliance and Authority

This policy is published in conformance with RFC 9116 (A File Format to Aid in Security Vulnerability Disclosure) and reflects the principles set forth in CISA Binding Operational Directive 20-01 guidance on vulnerability disclosure policy practice. CSG is not a federal civilian agency and is not subject to BOD 20-01; the directive's principles are referenced as governing practice.

9. Changes to This Policy

CSG may update this policy. The "Last updated" date above reflects the most recent revision. Continued use of the reporting channels following any changes constitutes acceptance of the revised policy.

10. Contact

For all vulnerability disclosure correspondence:

Cornerstone Systems Group
Email (security): security@cornerstonesystemsgroup.com
Email (general): admin@cornerstonesystemsgroup.com
Phone: (213) 212-4999
Machine-readable: /.well-known/security.txt