Vulnerability Disclosure Policy
CPR Class Finder | A Product of ResQWare LLC
Effective Date: May 20, 2026 Last Updated: May 20, 2026
1. Introduction
ResQWare LLC ("we," "us," "our") values the work of independent security researchers and the broader security community in helping us keep the CPR Class Finder website at https://cprclassfinder.us (the "Site") safe and trustworthy for the people who depend on it to find lifesaving training.
This Vulnerability Disclosure Policy ("Policy") describes how to report a security issue to us responsibly, what is in scope, what is out of scope, and how we will respond. By submitting a report to us, you agree to follow this Policy.
2. Scope
In Scope
- The CPR Class Finder website: https://cprclassfinder.us and its subdomains operated by ResQWare LLC
- Server infrastructure directly supporting cprclassfinder.us
- APIs explicitly documented as part of CPR Class Finder
Out of Scope
Reports concerning the following are out of scope for this Policy:
- The CPR Enroll platform (https://cprenroll.com and dashboard.cprenroll.com) — please report CPR Enroll issues through CPR Enroll's own channels
- Third-party services we use but do not operate (e.g., Stripe, AWS, SendGrid, Twilio, Google) — please report those to the vendor directly
- Issues already known to us (we will let you know if your report duplicates an open issue)
- Findings from automated scanners without a working proof of concept
- Social-engineering attacks against ResQWare LLC employees, contractors, or customers
- Physical-security issues
- Denial-of-service or volumetric attacks
- Reports based purely on missing best-practice configurations without a demonstrable security impact (e.g., missing HTTP headers, SPF/DKIM/DMARC nuances, low-severity TLS suite preferences) — we welcome these as informational but do not treat them as in-scope vulnerabilities
- Findings from a recently updated browser version, or browsers older than the two most recent major versions
- Spam, phishing, or abuse of the contact form
3. Researcher Guidelines
When testing and reporting, we ask that you:
- Make a good-faith effort to avoid privacy violations, destruction of data, and degradation of service.
- Only interact with accounts you own, or with explicit permission from the account holder. Do not access, modify, or destroy data belonging to anyone else.
- Do not exfiltrate data. If a vulnerability gives you incidental access to data, stop, secure the data, and notify us immediately. Do not retain copies.
- Do not run automated scans that generate substantial traffic against the Site. If you need to test rate limiting or large-scale issues, contact us first.
- Do not perform social engineering against ResQWare employees, contractors, or customers.
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it (see Section 6).
- Report only one vulnerability per submission, unless you need to chain issues to demonstrate impact.
- Provide enough detail to allow us to reproduce the issue.
4. How to Submit a Report
Send your report by email to:
Email: [email protected] Subject line: "Security Vulnerability Report — CPR Class Finder"
Please include:
- Summary — a brief description of the vulnerability and its impact.
- Affected URL(s) / endpoint(s) / parameter(s).
- Steps to reproduce, with as much specificity as possible.
- Proof of concept — a payload, request/response pair, screenshot, or short video showing the issue. Avoid demonstrating impact beyond what is necessary to confirm the finding.
- Suggested remediation, if you have one.
- Your contact information and how you would like to be credited (or whether you wish to remain anonymous).
If your report contains sensitive information, you may request that we provide a PGP key or other secure channel; we will respond with a way to share securely.
5. Our Commitment to You
When you submit a report that follows this Policy:
- Acknowledgment. We will acknowledge receipt of your report within five (5) business days.
- Triage. We will work to assess and validate the issue, typically within 10 business days of acknowledgment, and we will keep you informed of progress on a reasonable cadence.
- Remediation. We will fix valid issues as quickly as practical, prioritized by severity and impact. Critical issues are addressed first.
- Communication. We will let you know when the issue has been remediated and, where appropriate, when it is safe to discuss publicly.
- Recognition. With your permission, we will recognize researchers who report valid vulnerabilities by listing your name on a thank-you page, in our internal records, or in the release notes for the fix.
- No retaliation. We will not pursue legal action against researchers who act in good faith and within this Policy, even if a researcher inadvertently causes a minor service disruption while testing. We treat reports as security collaboration, not as intrusions.
We do not currently offer monetary rewards ("bug bounties") for vulnerability reports. This may change in the future, and any change will be reflected in this Policy.
6. Coordinated Disclosure
We follow a coordinated disclosure model. Please:
- Give us a reasonable opportunity to investigate and remediate before disclosing publicly. We generally target 90 days from the date we acknowledge a valid report; some complex issues may require more time, in which case we will work with you on an extended timeline.
- If we have not addressed the issue within the agreed timeframe and have not communicated a credible reason for delay, you may request that we provide a status update and a path to disclosure.
- If at any point you believe an active vulnerability is causing real-time harm to users, contact us immediately so we can prioritize accordingly.
7. Safe-Harbor Statement
ResQWare LLC will not initiate or support legal action against you for security research and reporting carried out in good faith and in accordance with this Policy, including:
- Accessing the Site solely to identify and report a vulnerability
- Avoiding privacy violations and service disruptions
- Not exfiltrating or retaining data
- Reporting promptly and not disclosing publicly before remediation
Activity that violates this Policy, applicable law, or third-party rights is not covered by this safe harbor. Nothing in this Policy authorizes you to violate the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, or any other applicable law.
8. Changes to This Policy
We may update this Vulnerability Disclosure Policy from time to time. The updated version will be posted on the Site with the "Last Updated" date revised. Material changes will be communicated reasonably in advance where practical.
9. Contact
ResQWare LLC Attn: Security — CPR Class Finder 276 Newport Rd, Suite 205 New London, NH 03257 Email: [email protected]
Thank you for helping keep CPR Class Finder safe for the people who use it to find lifesaving training.
© 2026 ResQWare LLC. All rights reserved. CPR Class Finder is a product of ResQWare LLC.
