This Vulnerability Disclosure Policy (“VDP”) describes how Praedium Insights LLC (“Praedium,” “we,” “us,” or “our”) receives and responds to good-faith reports of security vulnerabilities in the Praedium cloud-based real estate platform (the “Services”). We welcome reports from independent security researchers and from any user who discovers a potential vulnerability. This VDP supplements our Acceptable Use Policy, Incident Response Plan, and Software as a Service Subscription Agreement.
1.Scope
In Scope
The following are within the scope of this VDP:
- https://praediuminsights.com
- https://*.praediumcrm.com (tenant application subdomains, e.g.
.praediumcrm.com and admin.praediumcrm.com) - The application API, which is path-based under /api/ on the application hosts above (there is no separate api. subdomain)
- Authentication and OAuth integrations operated by Praedium
Out of Scope
The following are not within the scope of this VDP:
- Third-party services and infrastructure (Render, Google Cloud Platform, OpenAI, Repliers, etc.) — report to the vendor directly
- Customers’ own data, accounts, or content
- Social engineering of Praedium personnel or customers
- Physical attacks against Praedium offices or personnel
- Denial-of-service testing of any kind
- Automated scanning at rates that affect availability
- Findings against issues already publicly disclosed by Praedium or vendors
- Marketing site content (typos, broken links)
2.Safe Harbor
Praedium considers good-faith security research conducted in accordance with this VDP to be:
- a. Authorized in the sense intended by the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and analogous state computer-misuse laws;
- b. Authorized in the sense intended by the Digital Millennium Copyright Act (17 U.S.C. § 1201(j));
- c. Exempt from Praedium’s Acceptable Use Policy and Software as a Service Subscription Agreement for the purposes of conducting the research; and
- d. Lawful, helpful, and welcomed.
Praedium will not pursue or support civil or criminal action against researchers who report vulnerabilities in compliance with this VDP. If legal action is initiated by a third party against a researcher who complied with this VDP, Praedium will make this authorization known.
3.Rules of Engagement
When testing, you must:
- a. Stay within scope (Section 1).
- b. Avoid accessing, modifying, downloading, or destroying data that does not belong to you. If you encounter Personal Data, MLS data, or any data of a third party, stop immediately, do not retain it, and include the encounter in your report.
- c. Avoid actions that could harm the Service, its availability, or its users — in particular, no DoS, brute-force credential-stuffing, resource-exhaustion testing, social engineering, or physical access.
- d. Use only your own test accounts. Do not authenticate as another user without that user’s explicit written consent.
- e. Limit automated scanning to a rate that does not affect availability. Recommended: throttle to ≤ 5 req/s; do not parallelize scanners across multiple IPs.
- f. Comply with all applicable laws.
- g. Give Praedium reasonable time to investigate and remediate before any public disclosure (Section 6).
- h. Do not engage in extortion or demand payment as a condition of disclosure. (Praedium does not currently operate a paid bug bounty; see Section 7.)
4.How to Report
| security@praediuminsights.com | |
| Subject | VDP Report — [Brief description] |
| PGP key | Available on request |
Please include:
- a. A clear description of the vulnerability and where you found it (URL, endpoint, parameter)
- b. Steps to reproduce, including any test accounts used
- c. Proof-of-concept (screenshots, request/response, video) — minimize captured PII
- d. The potential impact you assessed
- e. Any environment details (browser, OS, tooling) relevant to reproduction
- f. Your name or handle and a contact email
- g. Whether you want to be acknowledged in our public Acknowledgments list (Section 8)
A security.txt file at https://praediuminsights.com/.well-known/security.txt provides current reporting endpoints in the format defined by RFC 9116.
5.What to Expect
| Step | Target Time |
|---|---|
| Acknowledgment of receipt | Within 2 business days |
| Initial triage and severity assessment | Within 5 business days |
| Status update | At least every 14 days until resolution |
| Remediation of Critical / High issues | 7 / 30 days respectively (target) |
| Remediation of Medium / Low issues | 90 / 180 days respectively (target) |
| Notification of fix and request for retest | Upon deployment |
Severity is assessed using CVSS v3.1 as a guideline; final severity is set by Praedium based on context (exploitability, data sensitivity, MLS impact).
6.Coordinated Disclosure
We ask that researchers do not publicly disclose details of a vulnerability until Praedium has had a reasonable opportunity to remediate. The default coordination window is:
- a. Ninety (90) days after the initial report, or
- b. Earlier, if both parties agree, or
- c. Later, if remediation is technically complex and Praedium provides regular updates.
If Praedium fails to acknowledge a report within 14 days or provides no substantive update for 60+ days, you are welcome to disclose responsibly.
We will not request indefinite confidentiality.
7.Recognition
We do not currently operate a paid bug bounty program. We may, at our discretion, provide:
- a. Public acknowledgment in our Security Hall of Fame at https://praediuminsights.com/security/acknowledgments (you may request anonymity instead)
- b. Praedium swag for material findings
- c. Reference letters for impactful contributions
A formal bug bounty program is on our roadmap. If we open one, this VDP will be updated.
8.Acknowledgments
We thank the following researchers for their responsible disclosures (newest first). To be added, indicate consent in your report.
(empty as of go-live — will be populated as reports are confirmed)
9.Limitations
- a. This VDP is not a customer contract and does not modify any executed agreement.
- b. This VDP grants no rights to access Praedium systems beyond what is necessary for good-faith security testing within scope.
- c. This VDP does not authorize testing of any system operated by a Praedium customer or third party.
- d. Praedium may amend this VDP at any time. Material amendments will be communicated through the Services or via the public security.txt.
10.Contact
| Security reports | security@praediuminsights.com |
|---|---|
| General questions | support@praediuminsights.com |
| Legal | legal@praediuminsights.com |
Praedium Insights LLC
https://praediuminsights.com
A.Appendix A — security.txt Content
Publish the following at https://praediuminsights.com/.well-known/security.txt (also mirror at the application host, e.g. https://admin.praediumcrm.com/.well-known/security.txt). Sign the file with the security@praediuminsights.com PGP key.
# RFC 9116 security.txt
Contact: mailto:security@praediuminsights.com
Contact: https://praediuminsights.com/security/report
Expires: 2027-06-15T00:00:00.000Z
Encryption: https://praediuminsights.com/.well-known/security-pgp-key.txt
Acknowledgments: https://praediuminsights.com/security/acknowledgments
Preferred-Languages: en
Canonical: https://praediuminsights.com/.well-known/security.txt
Policy: https://praediuminsights.com/legal/vulnerability-disclosure
Hiring: https://praediuminsights.com/careersNotes for the engineer publishing security.txt:
Expiresis required by RFC 9116. Refresh annually (or earlier).- Confirm the PGP key URL resolves and the key fingerprint matches the one displayed on the security page.
- Validate the file with https://securitytxt.org or
digfor content + headers. - The file MUST be served over HTTPS at the
.well-known/security.txtpath.