Purpose
This policy aims to outline the process of reporting vulnerabilities in our services and products. We recognize the importance of security researchers in keeping our system safe and we request all researchers abide by this policy while disclosing vulnerabilities.
Scope
This policy applies to any discovered vulnerabilities in the digital systems owned, operated, or maintained by Vention.
How to report a vulnerability
All vulnerability reports should be sent via email to bugs@vention.com. Please include as much information as possible, such as the steps to reproduce the vulnerability, the potential impact, and any possible mitigations. If possible, please include proof-of-concept code or screenshots.
You can use the following PGP key to encrypt the communication of sensitive information:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZLbiehYJKwYBBAHaRw8BAQdA0AIsAFMOJ+Uggj3VaInTTX77C9afnSGs1gZE
WjoRuZG0M1ZlbnRpb24gVnVsbmVyYWJpbGl0eSBEaXNjbG9zdXJlIDxidWdzQHZl
bnRpb24uY29tPoiZBBMWCgBBFiEEVaekxsqmofrtCIS5jz5mzpbWwi4FAmS24noC
GwMFCQPDjQYFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQjz5mzpbWwi4+
JwEAwaIzFWfVHKRMpMd++qAmHiRXGQqSCMKLOXr70cBEOAkBAOc4McLF20coUfvO
/S5VaYqPhBPHscns0Kp8nqEeWvsEuDgEZLbiehIKKwYBBAGXVQEFAQEHQEABDKOf
Jd0H1kFFIoGX6B7cx+cjLC5zm7qhpppSMrdvAwEIB4h+BBgWCgAmFiEEVaekxsqm
ofrtCIS5jz5mzpbWwi4FAmS24noCGwwFCQPDjQYACgkQjz5mzpbWwi52nQD/Q/xl
+DfNSh6++bfxzgRJ4nOi1TaK1wrqoDvHAhi12xgBAKUOG0JH6LZoS65PQnpo9nPx
XfsP6M3G2IgUmvqyezQB
=K+Kx
-----END PGP PUBLIC KEY BLOCK-----
What to expect when you report a vulnerability
Vention will make its best effort to acknowledge valid & impactful reports within 5 business days. Our security team will review your report and determine the severity of the vulnerability. Once the evaluation is done, we will send a response indicating the next steps. Please refrain from publicly disclosing the vulnerability before we've had a chance to address it.
Based on the complexity of the vulnerability, Vention Security will provide status updates and further communications as work progresses to fix the vulnerability.
Safe Harbor
We will not initiate legal action against researchers who discover and report vulnerabilities in accordance with this policy. We consider such activities conducted in good faith under this policy to constitute "authorized" conduct. However, malicious use of a discovered vulnerability to negatively impact the availability, integrity, or confidentiality of Vention systems will negate safe harbor, and violate this policy.
Non-Disclosure
The reporter agrees not to disclose the vulnerability to other parties until a vulnerability has been resolved.
Rewards
While we can't promise rewards for every reported vulnerability, we prioritize rewarding the efforts of researchers who provide valuable input and comply with this policy. At the discretion of the Director of CyberSecurity, and within the budget limitations set by Finance, Vention will reward reporters of impactful High and Critical vulnerabilities which result in successful remediation.
Publication
Vulnerabilities which require end-users and customers to update Vention-managed software on their client devices will be disclosed in the changelog for that update. Where required, further publication’s will be posted on the Security section of the Vention website, and will follow the format guidelines set by ISO 29147.
Policy Guidance
Where appropriate and applicable, Vention strives to follow the processes laid out in ISO 29147.
Policy Updates
This policy may be updated from time to time, and we encourage all security researchers to periodically review this policy.