VULNERABILITY DISCLOSURE POLICY

RevContent (“We”, “Us”, “Our”) highly values the security of our systems, data, and users. We appreciate the contributions of the security research community (“You”, “Your”) in helping Us maintain a secure platform. If you believe you have discovered a vulnerability or security issue in a RevContent-owned system, We encourage you to report it to Us in accordance with this Vulnerability Disclosure Policy.

Last Updated & Effective Date: October 30, 2025

PROGRAM SCOPE

This policy applies to all RevContent-owned domains, applications, and systems, including but not limited to (collectively the “Service”):

  • revcontent.com
  • Any subdomains or associated web properties
  • RevContent advertiser and publisher platforms
  • RevContentAPIs and SDKs

SAFE HARBOR

While We appreciate responsible disclosure, We reserve all legal rights but generally will not pursue legal action against security researchers who:

  • Follow this policy in good faith;
  • Avoid accessing, modifying, or destroying data that does not belong to them;
  • Do not publicly disclose details before RevContent has confirmed and fixed the issue and provided explicit written permission for such disclosure; and
  • Limit testing to systems explicitly owned and controlled by RevContent.

Unauthorized access, data exfiltration, or service disruption activities are strictly prohibited and will result in immediate termination of safe harbor protections and may result in civil and/or criminal enforcement actions.

VULNERABILITY DISCLOSURE REQUIREMENTS

To be considered for review, all submissions must include the following:

  • A complete, reproducible Proof ofConcept (PoC) demonstrating the direct impact of the vulnerability.
  • A valid exploit path — reports must show a concrete and reproducible method to exploit the vulnerability. Theoretical or assumed exploit chains will not be accepted.
  • No speculative or hypothetical scenarios. For example, “X could lead to Y which might result in Z” is not sufficient.
  • Clear, actionable reproduction steps showing how the issue can be triggered on a RevContent-owned domain or application.
  • Proof of execution. Screenshots or summaries alone are not sufficient; submissions must include evidence that the exploit was successfully executed.
  • Full technical details. We will not review vague claims, partial findings, or submissions that withhold critical details.

All vulnerability reports must be submitted privately and encrypted to security@revcontent.com. By submitting a report, you agree to be bound by the terms of this Policy. Submissions not meeting these criteria may be closed without further review.

You agree not to disclose any vulnerability publicly or share information about it through any means, including but not limited to social media, blogs, or third-party platforms, before RevContent has validated and remediated the issue and provided explicit written permission for such disclosure. Premature or unauthorized public disclosure disqualifies the report from review and may result in legal action.

Please note the following are considered out of the scope of this policy and are not valid submissions:

  • Speculative or hypothetical attack scenarios
  • Reports lacking a demonstrable impact or valid exploit path
  • Social engineering or phishing against RevContent employees or customers
  • Physical security issues
  • Denial-of-service(DoS), rate-limiting, or volumetric attacks
  • Use of automated scanning tools without proof of impact
  • Issues related to third-party integrations not owned or operated by RevContent
  • Best-practice recommendations or general security guidance without a verifiable exploit
  • Third-party services, vendors, or technologies that RevContent does not control

ACCEPTANCE CRITERIA & PROCESS

If you submit a report that meets the above criteria and demonstrates a genuine security issue:

  • RevContent will acknowledge receipt of your submission in a timely manner.
  • Our security team will review and validate the reported issue based on their assessment of the severity and urgency of the issue.
  • We will work to remediate confirmed vulnerabilities as quickly as possible and communicate relevant updates.
  • We may, at Our discretion, publicly acknowledge your contribution after resolution (with your consent).

RevContent may, in its sole and absolute discretion, reward disclosures that lead to meaningful security improvements for the Service. Any reward offered is ex gratia and does not create any obligation for future rewards. The determination to offer a reward, as well as the amount and timing thereof, are at Our sole and absolute discretion. If a reward is offered, it may take up to ninety (90) days to process. All rewards are subject to applicable laws and regulations, including tax requirements.