Responsible Disclosure Policy

Purpose

To allow for the reporting and disclosure of vulnerabilities discovered by external entities, and anonymous reporting of information security policy violations by internal entities.

Scope

Incognito's Responsible Disclosure Policy covers applies to Incognito Software's core platform and its information security infrastructure, and to internal and external employees or third parties.

Background

Incognito is committed to ensuring the safety and security of our customers and employees. We aim to foster an environment of trust, and an open partnership with the security community, and we recognize the importance of vulnerability disclosures and whistleblowers in continuing to ensure safety and security for all of our customers, employees and company. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise and whistleblowers who add an extra layer of security to our infrastructure.

Roles and Responsibilities

• Head of Finance - owner of policy
• Whistleblower - any person raising a legitimate concern, based on criteria below
• Designated Responder - the defined person to whom a matter is disclosed, as based on the defined criteria in the table below

Legal Posture

Incognito will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for the currently listed Incognito products. We agree not to pursue legal action against individuals who:

• Engage in testing of systems/research without harming Incognito Software or its customers.
• Engage in vulnerability testing within the scope of our vulnerability disclosure program.
• Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
• Adhere to the laws of their location and the location of Incognito Software. For example, violating laws that would only result in a claim by Incognito (and not a criminal claim) may be acceptable as Incognito is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Policy

Vulnerability Report/Disclosure

How to Submit a Vulnerability

To submit a vulnerability report to Incognito Software's Product Security Team, please utilize the following email: isteam@incognito.com.

Preference, Prioritization, and Acceptance Criteria

We will use the criteria from the next sections to prioritize and triage submissions.

What we would like to see from you:

• Well-written reports in English will have a higher probability of resolution.
• Reports that include proof-of-concept code equip us to better triage.
• Reports that include only crash dumps or other automated tool output may receive lower priority.
• Reports that include products not on the initial scope list may receive lower priority.
• Please include how you found the bug, the impact, and any potential remediation.
• Please include any plans or intentions for public disclosure.

What you can expect from Incognito Software:

• A timely response to your email
• After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
• An open dialog to discuss issues.
• Notification when the vulnerability analysis has completed each stage of our review.
• Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, Incognito may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Whistle Blowing

How to Submit a Report

To anonymously report an information security program violation or a violation of related laws and regulations, please utilize the table information below.

What we expect from you:

• Detailed report made in good faith or based on a reasonable belief.
  • Good Faith means the truthful reporting of a company-related violation of information security policies, procedures, or regulations, as opposed to a report made with reckless disregard or willful ignorance of facts.
  • Reasonable Belief refers to the subjective belief in the truth of the disclosure AND that any reasonable person in a similar situation would objectively believe based on the facts.
• Details of the violation (i.e., what, how, why).
• Details of the reported event, with facts (i.e., who, where, when).
• You are NOT responsible for investigating the alleged violation, or for determining fault or corrective measures.

What you can expect from Incognito Software:

• Your report will be submitted to the designated person, as shown in table below, for review.
• Protection of your identity and confidentiality.
  • CAVEAT: It may be necessary for your identity to be disclosed when a thorough investigation, compliance with the law, or due process of accused members is required.
• Protection against any form of retaliation and harassment, such as termination, compensation decreases, or poor work assignments and threats of physical harm.
  • If you believe that you are being retaliated against, immediately contact the designated person in the table below
  • Any retaliation or harassment against you will result in disciplinary action.
  • CAVEAT: Your right for protection against retaliation does not include immunity for any personal wrongdoing alleged in the report and investigated
• Due process for you and for the accused member(s).
• Corrective actions taken to resolve a verified violation and a review and enhancement of applicable policies and procedures, if necessary or appropriate.
• Continuous information security awareness training and understanding your rights as a whistleblower.

1. What is Whistleblowing?
   • Whistleblowing is the disclosure of information which relates to suspected or actual violations of Laws, violations of the Company's policies, or fraudulent activities. A whistleblower is a Representative who raises a good faith concern related to any of the above and reports said concern in accordance with this Policy.
2. What Is Covered Under This Policy?
   • This Policy covers a concern raised by any person who has reasonable grounds to suspect misconduct or improper state of affairs or circumstances in relation to the Company or its direct and indirect subsidiaries.
3. What Is Not Covered Under This Policy?
   • This Policy is not designed to cover a personal work-related grievance. Examples of personal grievances include personal conflict between employees, decisions relating to a transfer or promotion, issues about terms and conditions of employment, and decisions to suspend, discipline or terminate the employment of a reporting person. If Representatives are uncertain whether something is within the scope of this Policy, they should refer their questions to whistleblowing@luminegroup.com.
4. What is the Company's Commitment to the Whistleblower Program?
   • Harassment or Victimization. Company will not tolerate harassment, retaliation, or any type of discrimination against a whistleblower who in good faith:
     1. makes a complaint about suspected violations by the Company or a Representative of any Law or violations of the Company's policies;
     2. reports conduct which appears to be unethical, fraudulent, or other illegal behaviour on the part of a Representative or the Company;
     3. brings to light controls or other auditing practices that may lead to misrepresentations or other inaccuracies in the Company's financial accounting;
     4. provides information (or causes information to be provided) or assists in an investigation regarding violations of Law, or unethical, fraudulent, or other illegal behavior; or files, testifies, or participates in a proceeding relating to alleged violations of Law, or unethical, fraudulent, or other illegal behavior
        1. Malicious Allegations. Whistleblowers making complaints that are not in good faith may face disciplinary action. Any complaints based on allegations that (i) are without basis and that cannot be substantiated, or (ii) are found to be intentionally misleading or malicious will be viewed as a serious offence.
        2. Confidentiality & Anonymity. Unless otherwise permitted by Law, any matter that is reported pursuant to this Policy shall be kept confidential. Where it is reasonably necessary for the Company to investigate a matter, the Company may need to disclose information which could lead to the whistleblower's identification for the purposes of investigating the matter. However, in all circumstances the Company will take all reasonable steps to reduce the risk that the whistleblower will be identified in connection with an investigation.

Reporting

All suspected or actual incidents described under this Policy must be reported as follows:

• Financial, accounting, and internal controls: whistleblowingAC@luminegroup.com
• Employment, legal, and regulatory issues: whistleblowing@luminegroup.com
• Any: csisoftware.alertline.com or call 888-475-8376

Representatives can provide their names or remain anonymous, and all concerns will be followed up promptly with an appropriate response in accordance with this Policy.

Nothing in this Policy, or any other document or procedure at the Company, shall prevent a Representative from reporting what a Representative reasonably believes is a breach of Law to an appropriate government authority or from seeking legal advice in relation to their rights about disclosing information.

Post-reporting Process

1. All reports of violations will be dealt with promptly.
2. Initial inquiries will be made to determine if an extensive investigation is appropriate, and the form it should take. Representatives must demonstrate to the person contacted that there are sufficient grounds for concern. Appropriate corrective action will be taken if warranted by the investigation.
3. The Company's Vice President, Human Resources will determine (i) the proper treatment for all complaints related to Employment Issues, and (ii) if an outside investigator should be retained.
4. The Company's General Counsel will determine (i) the proper treatment for all complaints related to legal and regulatory issues including without limitation bribery and corruption, and (ii) if an outside investigator should be retained.
5. The Audit Committee Chair will determine (i) the proper treatment for all complaints related to financial, accounting, and internal controls and breaches of the policy and (ii) if an outside investigator should be retained.
6. Each of the Company's Vice President, Human Resources and General Counsel shall discuss their findings with the Chair of the Audit Committee, who will determine whether an incident requires escalation to the Audit Committee for review and further assessment.
7. The Audit Committee shall have discretion to determine whether any incident requires review by or disclosure to the Company's Board of directors

Training

Each Representative must become familiar and acknowledge compliance with this Policy. All Representatives will be required to execute an annual certification acknowledging their review and understanding of this Policy.

Penalties and Consequences

Allegations of misconduct, once substantiated, may result in disciplinary action against the person in question, up to and including termination of employment. If there has been illegal activity, civil penalties or criminal charges may also apply. Fines imposed on Representatives for violations of Laws will not be paid or reimbursed by the Company. Any report that is determined to have been made maliciously, recklessly, or fraudulently will be viewed as a serious offence and may result in disciplinary action, up to and including termination of employment.