Legal/Responsible Disclosure Policy
Standards · Vulnerability Reporting

Responsible Disclosure Policy

How to report a security vulnerability affecting Apex's website or services, what is in scope, and the protections afforded to good-faith researchers.

Document ID APX-LEG-017
Effective Date April 2, 2026
Last Updated April 2, 2026
Version 1.0

Apex Governance LLC (“Apex”) welcomes reports from security researchers and other members of the public who identify potential vulnerabilities affecting apexgscore.com or the systems used to deliver Apex's research and data products. This Policy describes how to report a vulnerability, what is in scope, what is not, and the protections afforded to researchers who act in good faith and within these guidelines.

Apex does not currently operate a paid bug-bounty program. Recognition is offered, where appropriate, in the form of a public acknowledgement (with the researcher's permission) and a written thank-you.

§ 01 How to Report

Send vulnerability reports to security@apexgscore.com. Reports may be submitted in English or Korean. Where a report includes information that the researcher considers sensitive, encryption is supported on request — please send an initial unencrypted message indicating the topic and Apex will arrange a secure channel for the substantive disclosure.

A useful report typically includes: a description of the vulnerability and its potential impact, the URL or component affected, the steps required to reproduce the issue, any proof-of-concept material (text, screenshots, or video), the date and approximate time of any testing performed, and the contact information at which the researcher would like to be reached.

Apex will acknowledge receipt of a report within five (5) business days and will provide an initial assessment within fifteen (15) business days. Subsequent communications are calibrated to the severity and complexity of the issue.

§ 02 Scope

The following are within scope:

  • the production website at apexgscore.com and any subdomains operated by Apex;
  • the delivery infrastructure used to provide data products to subscribers under contract (where you have legitimate, authorized access as a subscriber);
  • publicly accessible API endpoints (if and when made available);
  • email-handling infrastructure (insofar as the vulnerability would allow spoofing of mail purporting to originate from Apex domains).

Vulnerability classes of particular interest include: authentication and authorization flaws, injection vulnerabilities, server-side request forgery, sensitive-information exposure, business-logic flaws affecting access to gated materials, account-takeover paths, and supply-chain vulnerabilities affecting Apex's dependencies in a way that creates exploitable risk against Apex.

§ 03 Out of Scope

The following activities are explicitly out of scope and are not authorized under this Policy:

  • denial-of-service testing of any kind, whether at the network, application, or business-logic layer;
  • volumetric or sustained automated scanning that materially impacts Website availability or generates a non-trivial cost on Apex;
  • physical attacks against Apex personnel, premises, or hardware;
  • social-engineering attacks against Apex personnel, contractors, or vendor staff (including phishing, vishing, smishing, or pretexting);
  • attacks against third-party platforms that Apex relies upon (those platforms have their own disclosure programs and are the appropriate destination for such reports);
  • testing performed against subscriber tenants or other third parties' environments using Apex-issued credentials or access;
  • exfiltration, retention, modification, or deletion of any personal information, subscriber data, source filings, or production datasets;
  • testing that pivots beyond the minimum demonstration required to establish that a vulnerability exists.

Reports of common low-severity findings without demonstrated impact — for example, missing security headers without an exploitable consequence, automated-scanner outputs without manual validation, version-disclosure findings without a concrete attack chain, or self-XSS scenarios — are accepted but generally do not warrant detailed follow-up.

§ 04 Safe Harbor

Apex will treat security research conducted in good faith and in accordance with this Policy as authorized conduct, and will not pursue legal action under the Computer Fraud and Abuse Act, the Korean Information and Communications Network Act, the Digital Millennium Copyright Act's anti-circumvention provisions, or analogous laws in other jurisdictions, against researchers who comply with this Policy.

To benefit from this safe harbor, the researcher must: (a) limit testing to the in-scope assets and avoid the out-of-scope activities listed above; (b) make a good-faith effort to avoid privacy violations, service degradation, and harm to third parties; (c) stop testing and notify Apex promptly upon discovery of a vulnerability; (d) refrain from accessing, modifying, or storing data beyond the minimum necessary to demonstrate the vulnerability; and (e) refrain from public disclosure of the vulnerability before Apex has had a reasonable opportunity to investigate and remediate, as described below.

This safe harbor extends only to claims that Apex itself could bring against the researcher; it does not bind third parties whose systems may be incidentally implicated, and researchers are responsible for understanding the laws applicable to their activities in their own jurisdiction.

§ 05 Coordinated Disclosure

Apex requests a coordinated-disclosure window of ninety (90) days from the date of acknowledgement before any public discussion of the vulnerability. This window may be extended by mutual agreement where remediation is genuinely complex; it may be shortened where the vulnerability is already actively exploited in the wild or has been independently disclosed.

At the conclusion of the disclosure window, Apex will publish (or permit the researcher to publish) a description of the vulnerability and its remediation. Researchers who wish to be acknowledged by name in such publications are invited to indicate this in their report; researchers who prefer to remain anonymous will be respected accordingly.

§ 06 What Apex Will Do

For each in-scope report received, Apex will:

  • acknowledge receipt within the timelines stated above;
  • investigate the report, validate the vulnerability, and assess severity;
  • maintain reasonable communication with the reporter throughout the remediation process;
  • remediate the vulnerability on a timeline appropriate to its severity;
  • credit the reporter at the conclusion of the disclosure window, if and as the reporter wishes; and
  • not pursue legal action against the reporter for activities conducted in good faith and in accordance with this Policy.

§ 07 Updates

Apex may update this Policy from time to time to reflect changes in scope, contact channels, or process. The version in effect at the time a report is submitted is the version that applies to that report. Material changes will be reflected in the “Last Updated” date at the top of this page.

Back to Legal Hub
Security reports: security@apexgscore.com. PGP and other secure-channel arrangements available on request.