Public disclosure of the existence of vulnerabilities in Thermo Fisher Scientific’s software, web sites, or other properties, including any details or steps for validation, is prohibited without express written permission from Thermo Fisher Scientific. Any such disclosure will render the report noncompliant with this Coordinated Disclosure Policy. Also note the following partial list of actions are considered out-of-scope for responsible vulnerability testing and disclosure:

• Purposefully accessing, modifying, or downloading data from or details of an account that does not belong to the researcher.
  
  
• Any form of Denial of Service (DoS) attack.
  
  
• Any use of phishing or attacking users or employees of Thermo Fisher Scientific.
  
  
• Testing of third-party applications, websites, or services not owned by Thermo Fisher Scientific.
  
  
• Any form of attack resulting in the likely damage to or degraded performance of Thermo Fisher Scientific’s property, web presence, or public image.

By reporting a vulnerability, you (the researcher) agree to allow Thermo Fisher Scientific the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before either party discloses detailed vulnerability or exploit information to the public. Thermo Fisher Scientific is committed to coordinating with researchers throughout the vulnerability investigation and will provide researchers with updates on progress. Upon release of an update, Thermo Fisher Scientific may, with the researcher’s permission, publicly acknowledge the researcher’s contributions and express gratitude to him/her for privately reporting the issue. If attacks are underway in the wild, and Thermo Fisher Scientific is still working on the update, then both researchers and representatives of Thermo Fisher Scientific are expected to work together as closely as possible to provide early public vulnerability disclosure when necessary to protect customers.