Purpose
This policy aims to outline the process of reporting vulnerabilities in our services and products. We recognize the importance of security researchers in keeping our system safe and we request all researchers abide by this policy while disclosing vulnerabilities.
Scope
This policy applies to any discovered vulnerabilities in the digital systems owned, operated, or maintained by Vention.
How to report a vulnerability
All vulnerability reports should be sent via email to bugs@vention.com. Please include as much information as possible, such as the steps to reproduce the vulnerability, the potential impact, and any possible mitigations. If possible, please include proof-of-concept code or screenshots.
You can use the following PGP key to encrypt the communication of sensitive information:
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEaB4+jhYJKwYBBAHaRw8BAQdAOsCh81SGUmXzFiWqTtWwJ9/3nFw54X9J6ujM yYf/Kna0M1ZlbnRpb24gVnVsbmVyYWJpbGl0eSBEaXNjbG9zdXJlIDxidWdzQHZl bnRpb24uY29tPoiZBBMWCgBBFiEECFHtgHJNX87n3AglxEoC7hi7zXMFAmgePo4C GwMFCQWk0/IFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQxEoC7hi7zXM5 BwD/YPf4/xllp5YDRAo0yvbvUTMuMTZ3hpUiTCpU8/JDdLIA/imuo/9je6J0PMFQ Y4r98cJZwzIynbeBjVii1VZCob0EuDgEaB4+jhIKKwYBBAGXVQEFAQEHQL7hqL5E 2Nf+0tCMwHxw6NeztLyKZUe6pqr+JN07qjdLAwEIB4h+BBgWCgAmFiEECFHtgHJN X87n3AglxEoC7hi7zXMFAmgePo4CGwwFCQWk0/IACgkQxEoC7hi7zXNy/wEAhED4 Djxfj0v4Z8RHI2llB1pFtRwmYDoMd2deD1AcihQBAKJmbXgzr1We9SeEHiL+gvJ2 BfFCZhAJL87hf20iQi8C =7aB8 -----END PGP PUBLIC KEY BLOCK-----
What to expect when you report a vulnerability
Vention will make its best effort to acknowledge valid & impactful reports within 5 business days. Our security team will review your report and determine the severity of the vulnerability. Once the evaluation is done, we will send a response indicating the next steps. Please refrain from publicly disclosing the vulnerability before we've had a chance to address it.
Based on the complexity of the vulnerability, Vention Security will provide status updates and further communications as work progresses to fix the vulnerability.
Safe Harbor
We will not initiate legal action against researchers who discover and report vulnerabilities in accordance with this policy. We consider such activities conducted in good faith under this policy to constitute "authorized" conduct. However, malicious use of a discovered vulnerability to negatively impact the availability, integrity, or confidentiality of Vention systems will negate safe harbor, and violate this policy.
Non-Disclosure
The reporter agrees not to disclose the vulnerability to other parties until a vulnerability has been resolved.
Rewards
While we can't promise rewards for every reported vulnerability, we prioritize rewarding the efforts of researchers who provide valuable input and comply with this policy. At the discretion of the Director of CyberSecurity, and within the budget limitations set by Finance, Vention will reward reporters of impactful High and Critical vulnerabilities which result in successful remediation.
Publication
Vulnerabilities which require end-users and customers to update Vention-managed software on their client devices will be disclosed in the changelog for that update. Where required, further publication’s will be posted on the Security section of the Vention website, and will follow the format guidelines set by ISO 29147.
Policy Guidance
Where appropriate and applicable, Vention strives to follow the processes laid out in ISO 29147.
Policy Updates
This policy may be updated from time to time, and we encourage all security researchers to periodically review this policy.
Contact Us
If you have any questions about this policy, please contact us at bugs@vention.com.