Responsible Disclosure Policy
Zetes takes the security of our software products and services very seriously. Despite our concern for the security of these systems, it may occur that there still is a vulnerability that slipped through the cracks of our quality assurance processes.
If you believe you have found a security vulnerability in any Zetes-owned software, hardware or source code, then please report it to us as described below. We would like to work with you to protect our customers and our systems in a better way.
We will acknowledge receipt of your vulnerability report as soon as possible and strive to send you regular updates about our progress. If you're curious about the status of your disclosure please feel free to email us again. If for some reason you do not receive a timely response from us then please follow up via email to ensure we received your original message.
Please do not report security vulnerabilities through public channels, instead, please report them to the Zetes Cyber Security Incident Response Team at email@example.com.
We prefer all communications to be in English. Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of (source) file(s) related to the manifestation of the issue
- When applicable, the location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Impact of the issue, including how an attacker might exploit the issue This information will help us triage your report more quickly.
Rules of Engagement
Don’t disclose the vulnerability until we have been able to correct it. See below for possible publication.
- Don’t exploit the vulnerability by unnecessarily copying, deleting, adapting or viewing data. Or, for example, by downloading more data than is necessary to demonstrate the vulnerability.
- Don’t apply the following actions:
- Placing malware (virus, worm, Trojan horse, etc.).
- Copying, modifying or deleting data in a system.
- Making changes to the system.
- Repeatedly accessing the system or sharing access with others.
- Using automated scanning tools.
- Using the so-called "brute force" of access to systems.
- Using denial-of-service or social engineering (phishing, vishing, spam,...).
- Don’t use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
- Immediately erase all obtained/exfiltrated data as soon as it is reported.
- Don’t perform actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.
Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with Zetes. If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.
We would like to thank you for helping us improving the security of our software. We really appreciate your efforts to disclose the issue responsibly, and will make every effort to acknowledge your contributions.
If you have any questions, we encourage you to address them to the Zetes Cyber Security Incident Response Team at firstname.lastname@example.org. In case of doubt about the applicability of this policy, please contact us first via this e-mail address, to ask for explicit permission. Zetes reserves the right to change the content of this Policy at any time, or to terminate the Policy.