Policy

At PointOne Technologies, Inc., (“PointOne”) we are committed to building secure products and fostering positive relationships with the security research community as part of our Bug Bounty Program ("Bug Bounty Program"). Our security team reviews all vulnerability reports and acts upon them in accordance with responsible disclosure principles.

Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page ("Bug Bounty Terms"). By submitting a vulnerability report to PointOne, you acknowledge that you have read and agree to these Bug Bounty Terms.

Eligibility

To qualify for a reward under this Bug Bounty Program, you must:

• Be the first to report a specific vulnerability.

• Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots, videos, or proof-of-concept code as necessary.

• Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties — including vulnerability brokers — before we address your report will forfeit the reward.

• Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.

In addition to the requirements above, you are not eligible for the Bug Bounty Program if:

• You left the employment of PointOne, Inc. or its affiliates or subsidiaries within the past six (6) months;

• You are currently performing work for PointOne as a contract worker, whether independently or through a vendor; or

• You have been prohibited in writing from participating in the Bug Bounty Program by PointOne at any time.

Use Test Accounts for Testing

If you are investigating bugs or vulnerabilities, please use test accounts. You are not permitted to use or interact with any real account belonging to another person — including any law firm client or end user — without the express written consent of the account owner.

Given the sensitive and confidential nature of legal timekeeping data, researchers must take particular care to avoid accessing, viewing, or retaining any billing records, matter data, client information, or other data associated with law firm operations.

Scope

The systems and products that are in-scope are limited to PointOne's core AI timekeeping platform, including its web application(s), associated APIs, and iOS mobile application. Any other systems or vulnerabilities are out of scope, including the exclusions described in the "Non-Qualifying Vulnerabilities and Exclusions" section below.

How to Submit a Report

To submit a vulnerability report, please send an email to security@pointone.com with the following information:

• A clear description of the vulnerability and its potential security impact

• Step-by-step instructions to reproduce the issue

• The affected system, URL, or application component

• Any supporting materials such as screenshots, screen recordings, or proof-of-concept code

• Your name or handle (if you wish to be credited) and preferred contact information

We will acknowledge receipt of your report within 5 business days and aim to provide an initial assessment within 14 business days. We ask that you keep all details of the reported vulnerability confidential until we have had a reasonable opportunity to investigate and remediate the issue.

Submitting or publishing reports through public channels such as social media, GitHub, or community forums is expressly prohibited.

Rewards

We will reward reports according to their severity on a case-by-case basis as determined by our security team, in their sole discretion. A typical maximum reward is $10,000, although for exceptional vulnerabilities larger amounts may be disbursed. Given that our platform handles sensitive legal and billing data, we place particular emphasis on vulnerabilities that could expose confidential client information or compromise the integrity of timekeeping records. Rewards will generally be given for vulnerabilities that risk the integrity or confidentiality of client data, whereas other vulnerabilities will receive written thank-yous from our team or non-monetary gifts. Reports that disclose vulnerabilities that greatly impact availability of the system may also be eligible for cash rewards.

Non-Qualifying Vulnerabilities and Exclusions

The following are out of scope and do not qualify for a reward:

• Social engineering attempts on our staff, including phishing

• Attempts to access our offices or data centers

• Vulnerabilities in a third-party vendor or integration we use

• Use of automated tools that could generate significant traffic and possibly impair the functioning of our platform

• Reports solely indicating the absence of a possible security defense, such as certificate pinning

• Two-factor authentication bypass that requires physical access to a logged-in device

• Attacks that require physical access to or modification of device hardware

• Vulnerabilities that are already known (e.g., discovered by an internal team)

• Passive mixed content on web pages

• Open redirect with low security impact (if chainable with other vulnerabilities such as OAuth token theft or SSRF, please report)

• Generic information disclosure (e.g., stack traces) without additional demonstrated impact

• Issues that merely result in spam or annoyance without additional security impact

• Public zero-day vulnerabilities with an official patch issued less than one (1) month prior, which will be evaluated on a case-by-case basis

• Screenshot detection avoidance

• Local access to user data when operating a rooted or jailbroken mobile device

Additionally, the following specific reports do not qualify for a reward:

• Lack of email address verification during account registration

• Tampering with the host header in a request and receiving a redirect to a safe domain

• Support for RC4 in SSL/TLS negotiation where SSL/TLS is handled by an underlying cloud infrastructure provider

Access to Personal and Confidential Data

If you inadvertently access another person's data, law firm data, client information, or PointOne data without authorization while investigating a vulnerability, you must promptly cease any activity that might result in further access to such data and notify PointOne, Inc. immediately. Your notice should include what information was accessed and how you obtained access. After sending the notice, you should immediately delete all such data from your systems.

Continuing to access that data may disqualify you from a reward and from the protections of the Safe Harbor described below. You must also acknowledge any inadvertent data access in any related bug bounty report. You may not share or disclose any inadvertently accessed data with any third party under any circumstances.

Legal Terms

No Employment or Agency Relationship. Participation in the Bug Bounty Program does not create an employment, contractor, partnership, or agency relationship between you and PointOne. You are acting as an independent individual, and PointOne is not responsible for any taxes, withholdings, or other obligations arising from any reward payment made to you.

Reward Payments; Taxes. All reward payments are made in U.S. dollars. You are solely responsible for any taxes imposed on rewards you receive. PointOne may be required by applicable law to collect tax identification information and issue applicable tax forms in connection with payments above reporting thresholds.

No Assignment of Rights. By submitting a vulnerability report, you assign to PointOne all right, title, and interest in any intellectual property relating to the vulnerability and your report, including any related work product or proof-of-concept code. To the extent any such assignment is unenforceable, you grant PointOne a perpetual, irrevocable, worldwide, royalty-free license to use, reproduce, modify, and disclose the submitted materials for any purpose.

Confidentiality. You agree to keep confidential all non-public information about PointOne systems, products, and data that you encounter in connection with your participation in the Bug Bounty Program. This obligation survives the termination of your participation and any reward payment.

Sanctions Compliance. You represent and warrant that you are not (a) located in, or a resident or national of, any country subject to a U.S. government embargo or designated by the U.S. government as a "terrorist supporting" country, or (b) listed on any U.S. government list of prohibited or restricted parties, including the Treasury Department's Specially Designated Nationals list or the Commerce Department's Entity List. PointOne cannot issue rewards to individuals or entities that appear on any applicable sanctions list or that are located in a sanctioned country, regardless of the validity or severity of the reported vulnerability.

Compliance with Law. You agree to comply with all applicable laws and regulations in connection with your participation in the Bug Bounty Program and your security research activities. Nothing in these Bug Bounty Terms authorizes you to violate any law.

No Warranties; Limitation of Liability. THE BUG BOUNTY PROGRAM IS PROVIDED "AS IS." POINTONE MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE PROGRAM, INCLUDING WHETHER A REWARD WILL BE ISSUED FOR ANY PARTICULAR REPORT. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, POINTONE'S TOTAL LIABILITY TO YOU IN CONNECTION WITH THE BUG BOUNTY PROGRAM SHALL NOT EXCEED THE AMOUNT OF ANY REWARD ACTUALLY PAID TO YOU.

Modification and Termination. PointOne reserves the right to modify, suspend, or terminate the Bug Bounty Program or these Bug Bounty Terms at any time and in its sole discretion, without prior notice. Changes will be effective upon posting of updated terms. Continued participation after any change constitutes acceptance of the revised terms. PointOne is not obligated to pay rewards for reports submitted after the program is terminated or for vulnerabilities that fall outside the scope of any updated terms. All reward decisions — including whether to make an award and in what amount — rest entirely within PointOne's sole discretion.

Governing Law. These Bug Bounty Terms and any dispute arising out of or relating to your participation in the Bug Bounty Program shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-law principles.