CGM Responsible Vulnerability Disclosure Policy

Purpose

CGM, LLC ("CGM") is committed to maintaining the security of its systems, applications, and customer data. This policy establishes a responsible and coordinated process for external parties to report potential security vulnerabilities in a safe, lawful, and constructive manner.

Scope

This policy applies to all CGM owned or managed systems, applications, networks, and services, including cloud hosted infrastructure and customer facing platforms.

This policy applies to external parties, including customers, vendors, and independent security researchers acting in good faith.

Reporting Security Vulnerabilities

External parties who believe they have identified a potential security vulnerability are encouraged to report it promptly using the following channel:

  • Email: monitoring@cgminc.com
  • Subject Line: Security Vulnerability Report

Reports should include, where possible:

  • A description of the suspected vulnerability
  • The affected system or application
  • Steps to reproduce (if applicable)
  • Any supporting evidence (logs, screenshots, timestamps)

Responsible Disclosure Expectations

CGM requests that all vulnerability reports adhere to responsible disclosure practices, including:

  • No exploitation of the vulnerability beyond what is necessary to demonstrate its existence
  • No access to customer data or confidential information
  • No modification, deletion, or disruption of systems or services
  • No public disclosure of the vulnerability prior to CGM remediation or written authorization

CGM does not authorize penetration testing, scanning, or exploitation of systems without prior written approval.

Bug Bounty Program

CGM does not currently operate a bug bounty or paid vulnerability reward program. Submission of vulnerability reports does not entitle the reporter to compensation.

Response & Remediation

Reported vulnerabilities are handled in accordance with CGM's Incident Response Plan and security governance procedures. CGM will:

  • Acknowledge receipt of reported vulnerabilities
  • Assess severity and potential impact
  • Implement appropriate containment and remediation actions
  • Notify affected customers or partners as required by contractual or regulatory obligations

High-risk vulnerabilities that could result in unauthorized access are prioritized for immediate mitigation.

Communication & Confidentiality

CGM treats all vulnerability reports as confidential security information. CGM may communicate with the reporting party to request clarification or additional details during investigation.

Policy Availability

This Responsible Vulnerability Disclosure Policy is maintained as part of CGM's security governance program and is available upon request to customers, partners, and regulators. Supporting evidence is available through CGM's SOC 2 reporting and compliance platform.

Policy Exceptions & Compliance

Policy Exceptions

Any exceptions to this Responsible Vulnerability Disclosure Policy must be formally documented and approved by CGM's Security and Compliance leadership.

Exceptions may be granted only when:

  • There is a legitimate business or operational need, and
  • Compensating security controls are identified and implemented, and
  • The exception does not materially increase risk to CGM systems, customer data, or protected information.

All approved exceptions must:

  • Be documented with scope, rationale, duration, and risk acceptance
  • Be reviewed periodically to determine whether the exception remains necessary
  • Be revoked once the underlying condition no longer applies

Unauthorized testing, exploitation, or deviation from this policy without approved exception is strictly prohibited.

Compliance & Enforcement

Compliance with this policy is mandatory for all CGM personnel and applies to the handling of externally reported security vulnerabilities.

Reported vulnerabilities and any associated response actions are governed by CGM's Incident Response Plan and security governance framework. Failure to comply with this policy may result in:

  • Rejection of vulnerability reports submitted outside approved channels
  • Suspension of communication with reporting parties acting outside responsible disclosure guidelines
  • Disciplinary action for internal personnel, up to and including termination

CGM reserves the right to pursue legal remedies in cases involving malicious activity, unauthorized testing, or intentional system disruption.

Questions regarding this policy, requests for clarification, or proposed changes may be submitted via an ITOPS Jira ticket and will be reviewed in a timely manner by Security and Compliance leadership.

Policy Review

This policy is reviewed annually and updated as necessary to reflect changes in security practices, regulatory requirements, or risk posture.