Internal Security Engineering · Coordinated Vulnerability Disclosure
Report a vulnerability
We take security reports seriously. Read the policy below before submitting — it covers scope, response time, and the legal safe-harbor we offer to good-faith researchers.
Service-Level Commitment
Default 90-day coordinated disclosure window can be extended by mutual agreement for complex vulnerabilities; researchers may request shorter timelines for actively exploited issues.
Scope
In-scope
- Products listed at the vendor's public catalog (/lookup).
- Latest GA release and the immediately previous release of each product.
- First-party services run by the organization at production endpoints.
Out-of-scope
- Social-engineering attacks against staff or supply-chain partners.
- Physical attacks against vendor or customer facilities.
- Denial-of-service attacks that interrupt customer service.
- Findings depending on outdated browsers (>2 versions old) or unsupported OS.
- Reports generated solely by automated scanners without exploit demonstration.
Safe Harbor
Researchers acting in good faith and respecting this policy will not face civil, criminal, or administrative action initiated by the vendor. Good faith requires: (1) testing only in-scope assets, (2) avoiding service disruption and data destruction, (3) not accessing data beyond what is necessary to prove impact, (4) reporting through the channels listed above before public disclosure.
Compliance Frameworks
- EU CRA (Regulation 2024/2847) Annex I Part II §2.5 + §2.6
- ISO/IEC 29147:2018 — Vulnerability disclosure
- ISO/IEC 30111:2019 — Vulnerability handling processes
Downloads & Alternate Formats
- Full policy (DOCX, signable hardcopy)
- Machine-readable JSON (for SBOM tooling, SaaS marketplaces)
- Backend-rendered HTML
- /.well-known/security.txt (RFC 9116)