vulnerability Disclosure Policy
Ascertia recommends reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy, and act in compliance with it.
Here at Ascertia we support and actively endorse working with the research and security community to improve security of our products and services.
We are committed to resolving vulnerabilities found in our products in a careful and timely manner. We endeavour to take appropriate and necessary steps to minimize any risk to our customers and partners and aim to provide information and solutions to address security threats within our products.
We follow responsible disclosure guidelines to ensure customers and partners can address potential vulnerabilities as quickly as possible to mitigate associated risks.
We are committed to:
The Ascertia disclosure policy applies only to vulnerabilities in our products and services under the following conditions:
We recommend that security researchers contact the Ascertia Security Team by sending an email to email@example.com.
Encrypt your report using the Ascertia Security Team PGP Key, to prevent critical information from being accidentally disclosed.
PGP key Fingerprint: 9685 1467 43CD 5200 35FA B034 49E5 1CC3 7CB3 81F3
When submitting information about a suspected vulnerability, please provide as much of the following information as possible:
Any report should provide a safe, non-destructive, proof of exploitation wherever possible. This helps us to ensure that the report can be reviewed quickly. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities.
In order to protect our existing customers, partners and yourself we strongly recommend that you:
We will handle all reports with strict confidentiality and will not disclose your personal information to third parties without your permission.
Security vulnerabilities in Ascertia products are actively managed through our vulnerability management process and covers four stages:
The Ascertia disclosure policy ensures all customers receive the same information at the same time to avoid introducing further risk.
Ascertia has a direct relationship with all customers and partners, Ascertia will communicate any item with all affected customers as soon as any risk is discovered, as a result, Ascertia has no need to publish public CVE’s and does not authorise any 3rd party to publicise issues discovered with Ascertia products or services.
Ascertia also provide software\service updates as part of the Support Services offered during the Support Period of the product. Specifically:
Ascertia will provide, during the Support Period, the following support to customers: