Responsible Disclosure Program Terms of Use

---

Thank you for your willingness to share information about a security vulnerability with Avitris Group, LLC ("Avitris Group"). The security of our applications, systems, and the data we are tasked with safeguarding is paramount. We greatly appreciate any insights you provide that can help us enhance our security posture.

By submitting a vulnerability report to Avitris Group, you are agreeing to the following terms (the "Terms of Use"), designed to protect both parties involved:

If you submit a vulnerability report to Avitris Group via the process outlined below, in full compliance with all terms specified herein, we will not initiate civil action or file a complaint with law enforcement against you for unauthorized access to our systems, provided the access was solely for identifying the reported vulnerability.

Please direct all vulnerability reports to Avitris Group via email at inquiries@avitrisgroup.com. Include in your report:

• A detailed description of the vulnerability.
• The URL, IP address, port, or other relevant information to help us locate the vulnerability.
• Clear, detailed steps to reproduce the issue (including logs, screenshots, responses, or proof of concept code).
• How you discovered the issue.
• The presumed impact of the vulnerability.
• Any suggestions for remediation.
• Your name and contact details for follow-up.

Access to individual workstations, systems, networks, content, applications, or data belonging to any third party in connection with this program is strictly prohibited. The safe harbor provided does not extend to such systems, networks, content, applications, or data.

Engagement in denial of service attacks, attempts to compromise physical security, unauthorized entry into physical premises, or other destructive testing methodologies is forbidden. Once a vulnerability is identified, you must cease further testing and report it as outlined above. The safe harbor does not cover any activity that breaches the terms of this section.

By participating in this program, you affirm that you have not accessed, nor will you access, personal data of our customers or users found within our systems. Should you inadvertently come into possession of such data, you must securely delete it immediately. You further agree not to misuse any data extracted from our environment for any fraudulent, malicious, defamatory, abusive, threatening, unlawful, or otherwise improper purpose.

By submitting information related to a vulnerability, you grant Avitris Group a perpetual, worldwide, royalty-free, fully paid-up license to use, disclose, and act upon the information you submit, including proofs of concept, patches, suggestions, or any other related information, for the legitimate business purposes of analyzing, remedying, or enhancing our systems and networks. No intellectual property rights to any creation in connection with these Terms of Use are granted to you by Avitris Group.

You represent that you are not subject to any export sanctions or other trade restrictions by the United States, European Union, or other governmental bodies, including being listed on sanction lists or residing in a sanctioned country.

Your submission does not establish an employment relationship between you and Avitris Group. You shall not represent yourself as an employee, partner, or agent of Avitris Group.

Avitris Group and its affiliates shall not be liable for any direct, indirect, incidental, special, or consequential damages arising from these Terms of Use. Information submitted in connection with a vulnerability is provided voluntarily and without charge; Avitris Group shall not owe any fees for the submission or related services and expenses unless otherwise agreed.

These Terms of Use are governed by the laws of the State of Michigan, without regard to its conflict of laws principles. The use of Avitris Group's logos or trademarks without explicit prior consent is prohibited.