Version 1
October 25, 2021
Responsible Vulnerability Disclosure Policy
Zigor, a Company specialized in developing robust, flexible and efficient solutions, has the security, privacy and integrity of our products and services as a priority and it is something we considerer and process very seriously.
We are committed to ensuring that our products are secure for our customers. Recognising the importance of cybersecurity in products and solutions, we are registered as a CNA under de scope of INCIBE, so we are authorized to assign CVE (CVE IDs) identifiers to vulnerabilities affecting our products.
1. Reporting a security or privacy vulnerability
To notify us of a suspected security or privacy vulnerability, you must send an email to cna@zigor.com, including at least the following information:
- Code and serial number of the product and software you believe to be affected.
- A description of the behaviour you observed and the behaviour you expected.
- A numbered list of steps required to reproduce the problem and, if they are dificult to follow, a video demonstration.
- Potential impact.
2. Acknowledgement of Receipt
Upon receipt of your mail, we will proceed to replay to confirm the receipt.
3. Identify Vulnerabilities and assing CVE ID
- We will divide the report into independently remediable issues.
- We will determine if these issues are vulnerabilities.
- If they are, and if the vulnerabilities are in our scope, we will proceed to register the ID assignments.
4. Communicate the assignments to the reporter
The assigned IDs will be reported and they will be available to be tracked and followed.
5. Legal compliance in the search for vulnerabilities
Be aware of the respect of the law. Scanning for vulnerabilities can not be used as a pretext to attack a system or any other target. Therefore, the following actions are not allowed in the search for vulnerabilities:
- Any kind of physical attack.
- Using social engineering.
- Persistently compromising the system and maintaining constant access to it.
- Use the vulnerability for any action other tan proving its existence by using non-aggresive methods.
- Modify data accessed by exploiting (exploring) the vulnerability.
- Using malware.
- Using brute force attacks.
- Denial of Service (DoS o DDoS).
- Sharing vulnerability with third parties.
- Accesing non-public areas. Immediately must stop the activity and report the vulnerability.
- Affect the availability of services and the proper functioning of the equipment. Immediately stop the activity and report the vulnerability.
Keep information about any vulverability you have discovered confidential between you and Zigor, until we resolve the issue.
Zigor reserves the right to modify this policy at any time, at its sole discretion.