Responsibility Disclosure Policy

Updated on Mar 12, 2026 

Purpose

Relocity is committed to protecting the privacy and security of our users, systems, and data. This policy outlines how security researchers, ethical hackers, and members of the public can responsibly report vulnerabilities in our systems, in accordance with California law and industry best practices.

Reporting a Vulnerability

If you discover a security vulnerability, we encourage you to report it to us promptly and responsibly.
Please email your findings to security@relocity.com with the subject line: Vulnerability Disclosure.

Include the following in your report:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and affected systems
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your contact information (optional)

We Ask That You

  • Avoid accessing, modifying, or deleting data that does not belong to you
  • Do not perform denial-of-service attacks or actions that degrade system performance
  • Do not publicly disclose the vulnerability until we have resolved it

Our Commitment To You

Upon receiving your report, Relocity will:

  • Acknowledge receipt within 5 business days
  • Investigate the issue and provide status updates
  • Work to resolve verified vulnerabilities in a timely manner
  • Credit you publicly (if desired) once the issue is resolved

Safe Harbor

This policy is intended to align with the principles of responsible disclosure and safe harbor protections. If your actions are consistent with this policy and conducted in good faith, we consider them authorized and will not initiate legal action.

We do not pursue legal action against individuals who report vulnerabilities in good faith and comply with this policy. This includes protections under California law for good-faith security research (Cal. Penal Code § 502 and related statutes).

Vulnerability Handling & Disclosure

Relocity investigates all reported vulnerabilities promptly and thoroughly. If a vulnerability poses a risk to user data or system integrity, we prioritize remediation and may notify affected parties in accordance with applicable laws.

Relocity does not share unresolved vulnerabilities publicly and will only disclose technical details once remediation is complete and risk is mitigated.

Partner Responsibilities

Relocity maintains legal and contractual obligations to its business partners. In the event a vulnerability affects partner systems or data, and does not result in the compromise of customer or employee information, Relocity will report the issue directly to the partner and will not publicly disclose the vulnerability unless authorized.

Privacy and Compliance

If a vulnerability involves personal information as defined under the California Privacy Rights Act(CPRA), Relocity will assess the risk, notify affected individuals as required by Cal. Civ. Code §1798.82, and take appropriate remediation steps.