Positive coordinated vulnerability disclosure policy

At Positive Technologies, system security is our top priority. We are dedicated to making this technology-driven world a safer place. We take great care to safeguard our partners' and customers' systems and digital infrastructure, and sometimes in the course of our work, we may discover vulnerabilities in the systems of third parties. When this happens, we take all necessary steps to notify the affected third party (also referred to here as "you") in compliance with the vulnerability disclosure policy found on that party's website. In those cases when the party does not have a vulnerability disclosure policy on its website, we follow the procedure specified below. No matter what, we aim to report our vulnerability findings to you as quickly as possible so that you can take appropriate measures to protect your systems.

Here are the steps we take after discovering a vulnerability:

  • We notify you in compliance with the vulnerability disclosure policy on your website. If we cannot find a vulnerability disclosure policy, we will contact you via email or another contact method indicated on your website.
  • Once we have notified you, we expect you to release a patch or other appropriate fix for the vulnerability within 90 days. If the default 90 days are not enough for you to fix the vulnerability, an extension is possible, provided that communication and efforts are ongoing.
  • As an additional measure, we will send a reminder email on the thirtieth (30th) and sixtieth (60th) days after the initial notification.
  • If we do not receive a response from you within 90 days, we reserve the right to publicly disclose our findings in a limited format that does not contain information that would enable other parties to exploit the vulnerability.
  • If you release a patch or other fix for the vulnerability before the ninetieth (90th) day, we may publicly disclose our findings immediately after you release the patch or fix.

We will keep our findings in confidence for 90 days and will not disclose them without your permission. Exceptions to this may occur in case of law enforcement demands or legal proceedings.

We would like to play an active role as researchers and would appreciate your mentioning Positive Technologies in any publications you decide to make regarding the vulnerability.

Please feel free to contact us at info@ptsecurity.com for any matters related to vulnerability disclosure.