UL Foundation Responsible Disclosure Policy

Effective: May 15, 2025

Security Badge

At the UL Foundation, we prioritize security, privacy, and transparency in everything we do. This policy outlines how ethical hackers, security researchers, and members of the public can responsibly disclose potential vulnerabilities in our systems.

Scope

  • ulfoundation.org and all subdomains
  • Public services hosted under the UL Foundation name
  • Any applications or scripts officially distributed by the UL Foundation

Reporting a Vulnerability

Please report all vulnerabilities to .

We encourage encrypted submissions using our PGP key: https://ulfoundation.org/.well-known/pgp-key.txt

What to Include

  • Clear description of the vulnerability
  • Steps to reproduce
  • Tools used (if applicable)
  • Your contact info (optional for acknowledgment)

What You Can Expect

  • Acknowledgment of your submission within 5 business days
  • Ongoing communication as we investigate and resolve the issue
  • Public acknowledgment in our Hall of Thanks, if permitted