Cybersmith.

Disclosure Policy.

This policy relates to Cybersmith Ltd, registered company 14118194. Throughout this policy Cybersmith Ltd will be referred to as Cybersmith.

This document is a simple description of our disclosure policy, it does not replace and is secondary to all contracts we may have with your organisation.

Introduction.

Cybersmith are committed to addressing and reporting security issues through a coordinated and constructive approach designed to provide the greatest protection for Cybersmith customers, partners, staff and all internet users.

This policy applies to vulnerabilities discovered anywhere by both Cybersmith's staff and by others in Cybersmith services.

Contact Us.

If you believe you have discovered a vulnerability in a Cybersmith product or have a security incident to report, please email us at: [email protected]. We will respond to all disclosures within 3 working days of first contact.

Confidentiality.

Cybersmith will take a series of steps to address issues in its products, we request reporters keep any communication regarding the vulnerability confidential during this process.

Common Vulnerability Scoring System.

When reporting a vulnerability, we appreciate the use of the Common Vulnerability Scoring System: https://www.first.org/cvss/calculator/3.1.

Process For Managing Reported Vulnerabilities.

When receiving a report Cybersmith will follow the process as outlined below:

  1. Cybersmith will convene their vulnerability analysis team led by the Managing Director.
  2. The vulnerability analysis team investigates, verifies and establishes the severity of the vulnerability.
  3. If the vulnerability is found to be within another vendor's product we will notify that vendor
  4. The vulnerability will be addressed with a patch within 90 days, or if for some reason this cannot be done within this timeframe (or at all) will provide recommended mitigations.
  5. Cybersmith publicly announces the vulnerability and includes a reference to the person/people who reported the vulnerability, unless the reporter(s) would prefer to stay anonymous.

Cybersmith will endeavour to keep the reporter apprised of every step in this process as it occurs.

Payment For Reported Vulnerabilities.

Cybersmith does not have a formal system to make payments for reported vulnerabilities, however at the sole discretion of the company we may choose to do so.