At Gridware, we take the security of our infrastructure, products and services very seriously. Protecting our clients, users and ensuring that vulnerabilities are responsibly disclosed and addressed is of utmost importance to us. This page outlines our policies and processes for reporting, acknowledging, and mitigating security vulnerabilities.
1. Scope of Disclosure
This policy applies to any vulnerability affecting our:
- Software products: Applications, tools, and libraries.
- Services: Cloud-based or hosted services.
- Infrastructure: Websites and systems accessible to customers or partners.
If you identify a vulnerability within these products or services, we encourage you to follow the responsible disclosure guidelines outlined below.
Please note that there is no reward scheme for discovering a vulnerability.
2. Reporting Vulnerabilities
We encourage security researchers, partners, and customers to report any vulnerabilities they find.
How to Report:
- Email: Send your findings to [email protected] with a subject line containing “Vulnerability Disclosure”.
Required Information:
- Affected product, service, or infrastructure.
- Detailed description of the vulnerability.
- Steps to reproduce the issue.
- Proof of concept (if applicable).
- Recommended remediation.
- Any potential impact of the vulnerability.
3. Acknowledgment and Response
Upon receiving your vulnerability report, we will:
- Acknowledge your submission within 5 business days.
- Investigate the issue and assess its severity.
- Provide regular updates on the progress of the investigation and remediation.
- Coordinate a public disclosure once the issue has been resolved.
4. Our Commitment
We commit to:
- Respond promptly and responsibly.
- Work with you to understand the issue fully and resolve it.
- Credit you (with your permission) for the discovery once the vulnerability is remediated.
- Keep you informed of remediation progress and timelines.
5. Disclosure Timeline
We follow a coordinated disclosure timeline:
- Initial Response: Within 5 business days.
- Assessment: We will evaluate the vulnerability and assign it a severity rating using CVSS.
- Resolution and Fix: Depending on the severity, our goal is to release a fix within 90 days for high-severity issues. Critical vulnerabilities may receive an emergency patch sooner.
- Public Disclosure: Once a fix is available and verified, we will coordinate with you on a public announcement.
6. Public Announcements
We will publicly disclose the details of the vulnerability once:
- A fix is available and deployed.
- Sufficient time has been given to customers to apply the patch.
We will publish security advisories on the Gridware Threat Blog.
7. CVE Assignment
As a CVE Numbering Authority (CNA), we will assign a CVE ID to validated vulnerabilities. If you’re a researcher reporting a vulnerability, you will be credited for the CVE submission (unless you prefer anonymity).
8. Do Not Report the Following:
- SSL/TLS-based vulnerabilities; for example: BREACH attack, or invalid SSL certificate.
- Missing security headers.
- Fingerprinting/Banner disclosures.
- Content Spoofing.
- Information disclosure of non-confidential information.
- Password AutoComplete Enabled.
- Insecure HTTP Transport.
- TLS Cookie Without HTTP Only Flag Set.
- Content Security Policy (CSP).
- Insecure Frame.
9. Out-of-Scope
The following are considered out-of-scope:
- Social engineering attacks (phishing).
- Physical attacks on infrastructure or devices.
- Vulnerabilities in third-party libraries unless they directly affect our products.
- Denial of Service (DoS) attacks unless they expose a broader security flaw (this includes brute forcing).
- Any breach of the Internal network or services.
- Posting, transmitting, uploading, linking to, or sending any malware.
- Attempts to modify or destroy data.
- Attempts to extract or exfiltrate sensitive data.
- Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
10. Safe Harbor
We value the contributions of security researchers and commit to:
- No legal action against researchers who report vulnerabilities responsibly.
- Encouraging adherence to ethical research and responsible disclosure guidelines.
11. Contact Us
For any questions regarding this policy or to submit a report:
Email: [email protected]
We appreciate your efforts in helping us maintain a secure environment for all users.
