Responsible Vulnerability Disclosure

Responsible Vulnerability Disclosure Policy
RATE Solutions Inc. | Version 1.0 | Effective: September 16th, 2025

Purpose
RATE Solutions Inc. (“RATE”) is committed to the security of our systems and services. This page provides a channel for good-faith security researchers to report potential vulnerabilities so we can remediate them promptly.

How to Report
Email suspected vulnerabilities to security@ratesolutionspr.com with: description, steps to reproduce, affected URLs/hosts, impact, and (if available) a proof-of-concept. Do not include sensitive data beyond what is necessary to demonstrate the issue.

Our Commitment

• Acknowledge receipt within 3 business days.
• Provide a status update within 7 business days after triage.
• Remediate validated findings on a risk-based timeline (Critical/High prioritized).

Safe Harbor
If you act in good faith under this policy while researching and reporting, RATE will not initiate legal action for your research. This safe harbor does not apply to actions that cause harm, data exfiltration, privacy violations, or service disruption.

Rules of Engagement

• No testing that degrades service, exploits beyond proof-of-concept, or accesses data that is not your own.
• No social engineering, phishing of our staff, physical attacks, or denial-of-service.
• No public disclosure before remediation without written permission from RATE.

Scope

• In scope: RATE-owned public websites, portals, and systems expressly identified by RATE.
• Out of scope: Third-party platforms not administered by RATE; any client systems (including T-Mobile assets); social media; physical infrastructure; and anything that would violate laws or third-party terms of service.

Severity & Remediation Targets

• Critical: begin mitigation within 24 hours; remediation target ≤ 15 days.
• High: remediation target ≤ 30 days.
• Medium/Low: remediated as scheduled; tracked to closure.

Recognition & Bounties
RATE does not operate a bug bounty program at this time. With permission, we may credit researchers upon closure.

Privacy
Do not access or store personal or confidential data. If such data is inadvertently accessed, cease testing, notify us immediately, and delete local copies after coordination with RATE.

Contact
security@ratesolutionspr.com