Vulnerability disclosure policy
25 October 2021
1. RESPONSIBLE VULNERABILITY DISCLOSURE POLICY
Zigor, a company that specialises in developing robust, flexible and efficient solutions, considers the security, privacy and integrity of our products and services as a priority and something that we take very seriously.
We are committed to ensuring that our products are secure for our customers As we recognise the importance of cybersecurity in products and solutions, we are registered as a CNA within the scope of INCIBE, therefore we are authorised to assign CVE (CVE IDs) identifiers to vulnerabilities that affect our products.
2. REPORT A SECURITY OR PRIVACY VULNERABILITY
To report a suspected security or privacy vulnerability, send an email to firstname.lastname@example.org, including the following information at least:
- Reference and serial number of the product and the software that you believe is affected.
- A description of the behaviour that you have observed the behaviour that you expected.
- A numbered list of the necessary steps to reproduce the problem and, if they are difficult to follow, a video demonstration.
- Potential impact.
3. ACKNOWLEDGEMENT OF RECEIPT
Upon receipt of your email, we will respond to confirm receipt.
4. IDENTIFY VULNERABILITIES AND ASSIGN A CVE ID:
- We will divide the report into independently solvable problems.
- We will determine if these problems are vulnerabilities.
- If they are, and if the vulnerabilities are within our scope, we will then record the ID assignments.
5. COMMUNICATE THE ASSIGNMENTS TO THE INFORMANT
The assigned IDs will be communicated to the informant and where they can be tracked.
6. LEGAL COMPLIANCE IN THE SEARCH FOR VULNERABILITIES
Take compliance with the law into account. The exploration and search for vulnerabilities cannot be used as a pretext for attacking a system or any other purpose. For this reason, following actions are not allowed in the search for vulnerabilities:
- Any form of physical attack.
- Using social engineering.
- Persistently putting the system at risk and maintaining access to it.
- Using the vulnerability for any action that does not demonstrate its existence by making use of non-aggressive methods.
- Modifying data accessed by exploiting the vulnerability.
- Using malware.
- Using brute force attacks.
- Denial of service tests (DoS or DDoS).
- Sharing the vulnerability with third parties.
- Accessing non-public areas. The activity must be stopped immediately and the vulnerability reported.
- Affecting the availability of the services and the proper operation of the device. The activity must be stopped immediately and the vulnerability reported.
Keep information confidential on any vulnerability discovered between you and Zigor until we resolve the problem.
Zigor reserves the right to amend this policy at any time, at its sole discretion.