Vulnerability Disclosure Policy
Feith Systems is dedicated to upholding the highest standards of data protection and information security for our clientele.
Introduction
This document delineates the framework for ethical vulnerability research within our digital environments, providing clear directives for security experts in their discovery endeavors and detailing the protocol for reporting vulnerabilities.
This guidance specifies the applicable systems and research types under this policy, elaborates on the process for submitting vulnerability reports, and outlines the expected timeframe for researchers prior to any public disclosure of vulnerabilities.
We strongly advocate for engagement with our team to disclose potential vulnerabilities identified within our infrastructure.
Authorization
Feith Systems assures that if your security investigation is conducted in compliance with this policy, it is deemed authorized. We pledge to collaborate with you to comprehend and rectify the matter expeditiously.
Feith Systems commits to not initiating or endorsing legal proceedings concerning your research conducted per this policy. In the event of third-party legal actions arising from your policy-abiding activities, we will affirm this authorization.
Guidelines
Within this framework, “research” pertains to actions where you:
- Promptly inform us upon identifying a legitimate or potential security threat.
- Strive to prevent privacy infringements, user experience disruption, production system destabilization, and data damage or manipulation.
- Limit exploit usage solely to ascertain a vulnerability, avoiding data compromise, persistent access establishment, or lateral movement to other systems.
- Allow us a reasonable period to address the issue before opting for public disclosure.
- Refrain from submitting numerous low-impact findings.
Upon detecting a vulnerability or encountering sensitive data (including personal, financial, or proprietary information), cease testing immediately, notify us, and do not share the information further.
Prohibited Testing
- Conducting network denial of service (DoS or DDoS) actions, or any activities that hinder system/data access or integrity.
- Engaging in physical intrusion attempts, social engineering (phishing, vishing), or other non-technical vulnerability assessments.
Scope
Services not explicitly mentioned, including third-party services, are beyond this policy’s scope and unauthorized for testing. For vulnerabilities in our partners’ or clients’ systems, report directly to them. Uncertain about a system’s applicability? Consult us at it-sec@feith.com before initiating your research.
While we operate numerous web-accessible platforms, this policy restricts active investigations to the designated systems. Should you believe an out-of-scope system warrants examination, please discuss it with us first.
Vulnerability Disclosure
Submissions under this protocol are exclusively for remediation purposes. Should your findings have broader implications, we may coordinate with the Cybersecurity and Infrastructure Security Agency under their vulnerability disclosure protocol. Your personal details will remain confidential unless you provide explicit consent for disclosure.
Report vulnerabilities via it-sec@feith.com. Anonymous submissions are welcome. If you provide contact details, expect an acknowledgment within three business days.
We value reports that:
- Specify the vulnerability’s location and potential impact.
- Detail the reproduction steps (including scripts or screenshots).
- Preferably, are in English.
What to expect from us:
- An acknowledgment within three business days.
- Transparency inthe vulnerability verification and resolution process.
- Ongoing communication about remediation progress.
Inquiries
For questions or policy improvement suggestions, reach out to it-sec@feith.com. We welcome your feedback and aim to enhance this policy continually.