UL Foundation Responsible Disclosure Policy

Effective: May 15, 2025

UL Foundation Security Badge

At the UL Foundation, we prioritize security, privacy, and transparency in everything we do. This policy outlines how ethical hackers, security researchers, and members of the public can responsibly disclose potential vulnerabilities in our systems.

Scope

ulfoundation.org and all subdomains
Public services hosted under the UL Foundation name
Any applications or scripts officially distributed by the UL Foundation

Reporting a Vulnerability

Please report all vulnerabilities to security@ulfoundation.org.
We encourage encrypted submissions using our PGP key: https://ulfoundation.org/.well-known/pgp-key.txt

What to Include

Clear description of the vulnerability
Steps to reproduce
Tools used (if applicable)
Your contact info (optional for acknowledgment)

What You Can Expect

Acknowledgment of your submission within 5 business days
Ongoing communication as we investigate and resolve the issue
Public acknowledgment in our Hall of Thanks, if permitted

We believe in recognizing those who help strengthen our systems. If permitted, your name will be included in our Hall of Thanks.

Guidelines

Do not attempt to access or modify data that is not your own
Do not use the vulnerability to disrupt or degrade services
Do not publicly disclose vulnerabilities before resolution
Do not engage in extortion or demand compensation

Safe Harbor

We will not pursue legal action against individuals who act in good faith and follow this policy in reporting security issues.

We appreciate your contribution to making the UL Foundation more secure for everyone.