Vulnerability Disclosure Policy

Purpose

Momentum is committed to maintaining the highest standards of security across all its systems and digital assets. This Vulnerability Disclosure Policy (VDP) defines how external security researchers can responsibly report potential vulnerabilities to Momentum. The intent is to provide a transparent, secure, and cooperative framework for responsible disclosure that helps identify and remediate security risks efficiently and constructively.

Scope

This policy applies to all digital assets owned, operated, or maintained by Momentum. This includes all systems and subdomains under the momentum.com domain, as well as any publicly accessible web applications, APIs, or mobile applications managed by Momentum. It also covers cloud services and third-party integrations explicitly under Momentum’s control. Systems or services that are not owned, operated, or controlled by Momentum are out of scope for this policy.

Our Commitment

Momentum values the work of ethical security researchers and recognizes the importance of responsible disclosure. We are committed to acknowledging valid reports within five business days, providing updates during the investigation process, and working diligently toward resolution. We will not pursue legal action against individuals who act in good faith, within the boundaries of this policy, and who respect our rules of engagement. Confirmed vulnerabilities will be prioritized and remediated in a responsible and timely manner.

Compensation Not Available

While Momentum appreciates the efforts of researchers who help improve our security, we do not offer monetary compensation, rewards, or bug bounties for vulnerability disclosures at this time. Reports are considered voluntary contributions to our security program by researchers and are reviewed in good faith as part of our coordinated vulnerability management process. Attempts to extort funds as part of a report will be referred to law enforcement.

How to Report

Vulnerability reports should be sent to security@momentum.com. Reports should include a detailed description of the vulnerability, the steps required to reproduce it, proof-of-concept materials (if available), the affected system or URL, and contact information for follow-up. Please avoid including any personally identifiable information or sensitive data unrelated to the finding. Reports sent through any other channels may not be reviewed.

Safe Harbor

Researchers who follow this policy and act in good faith are authorized to conduct limited testing for legitimate security research purposes. Momentum will not initiate legal action or refer compliant researchers to law enforcement and will treat their activities as authorized under applicable laws. If you are uncertain whether your testing is covered by this policy, please contact us at security@momentum.com before proceeding.

Referrals to Law Enforcement

Unauthorized access to systems, data exfiltration of confidential, sensitive, or personal information, ransomware attacks, or other activities that appear criminal in nature will be referred to law enforcement.

Rules of Engagement

Testing should be conducted in a controlled, responsible manner and must avoid disruption of services or compromise of data integrity. Researchers must not exploit vulnerabilities beyond the minimum necessary to demonstrate proof of concept, perform denial-of-service or resource exhaustion attacks, access or modify data that is not their own, engage in social engineering or phishing attempts, or attempt to gain physical access to Momentum’s facilities or assets. Public disclosure of any vulnerability should only occur after Momentum has verified and resolved the issue, and both parties have agreed on timing and content.

Disclosure Process

Momentum follows a structured and transparent disclosure process. We acknowledge valid submissions within five business days and aim to complete triage and assessment within ten business days of acknowledgment. Remediation timelines depend on the severity and complexity of the issue. After resolution, we will notify the reporter and confirm closure. We request that researchers refrain from publicly disclosing details until remediation is complete and both parties agree that disclosure is appropriate.

Contact Information

All vulnerability reports should be directed to security@momentum.com. Additional information, including this policy and related security resources, can be found at https://www.momentum.com/vulnerability-disclosure-policy and https://www.momentum.com/.well-known/security.txt.

‍