Positive Coordinated Vulnerability Disclosure Policy

At Positive Technologies, we consider system security a top priority. Our mission is to make this world driven by information technologies a safer place. We take great care regarding security of our partners’ and customers’ systems and digital infrastructure, and sometimes in the course of our work, we may discover vulnerabilities in third parties’ systems. When it happens, we take all necessary steps to duly notify the affected party (or “You”) in compliance with its Vulnerability Disclosure Policy available on its website. In those cases when the affected party does not have a Vulnerability Disclosure Policy on its website, we follow the procedure specified below. In any circumstance, we aim to report our vulnerability findings to You as quickly as possible, so You can take appropriate measures to protect your system.

What steps we take:

  • When discover a vulnerability we notify You in compliance with your Vulnerability Disclosure Policy available on your web-site. If we cannot find your Vulnerability Disclosure Policy, we will contact You via e-mail or other contact information indicated on your website;
  • Once we have notified You, we expect You to release a patch or other relevant fix for the vulnerability within 90 days. If 90-day default timeline is not enough to fix the vulnerability, the extension of this term may be discussed by us in an open dialogue, provided You actively work with us;
  • To keep You on track, we will send You a reminder e-mail on the 30 th and 60 th day of the notice;
  • If we do not receive a response from You within 90 days, we reserve the right to publicly disclose our findings in a limited format that does not allow third parties to exploit your vulnerabilities;
  • If You release a patch or other relevant fix for the vulnerability before the 90 th day, we may publicly disclose our findings immediately after You release such a patch of other relevant fix for the vulnerability.

We will keep our findings in confidence within 90 days and will not disclose them without your permission. An exception to this is the police and judiciary in the event of prosecution or if information is demanded.

We would like to play an active role as researchers and would like You to mention our name in any publications You decide to make regarding the vulnerability.

Please feel free to contact us at pt@ptsecurity.com for any matters related to vulnerability disclosure.