Vulnerability Disclosure Policy
Guidelines
We required that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Perform research only within the scope set out below.
- Use only identified communication channels for vulnerability reporting as stated in this policy.
- Keep information about any vulnerabilities that you discovered confidential between yourself and Aerogaz until disclosure is approved by Aerogaz.
- Remain communicative and cooperative as we work together through this process.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research related to a vulnerability.
- Work with you to understand and resolve the issues associated with the vulnerability.
- Aerogaz recognize your contribution if you are the first person to report the vulnerability and we make a product modification or configuration change based on the reported vulnerability.
Test Methods
All researchers are to take into account the respect for the law. Vulnerability scanning could not serve as a pretext for attacking a system or any other target and reporting a vulnerability does not imply being exempt from compliance.
Several actions must be avoided. For example:
- Using social engineering
- Compromising the system and persistently maintaining access to it
- Changing the data accessed by exploiting the vulnerability.
- Using malware
- Using the vulnerability in any way beyond proving its existence. To demonstrate that the vulnerability exists, the reporter could use non-intrusive methods. For example, listing a system directory.
- Using brute force to gain access to systems
- Sharing vulnerability with third parties
- Performing DoS or DDoS attacks
Vulnerability should be reported as soon as it is detected and must not be exploited in any way.
Reporting a vulnerability
If you believe you’ve found a security vulnerability in one of our products or platforms, please send the Finding report to us by emailing to dpo@aerogaz.com
Please include the following details in your report with regards to the below specific templates.
Hardware:
- Product name & hardware model/revision/serial number
- Expected correct usage
- Actual usage after vulnerability exploit
- Steps to reproduce the vulnerability
- Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
- Configurations of hardware (connections, software, debug connections, etc.)
- Example exploit source code (if any)
- Finder(s) contact information
Firmware:
- Product name & firmware version
- Expected correct usage
- Actual usage after vulnerability exploit
- Steps to reproduce the vulnerability
- Risk assessment (impact level finder sees the vulnerability as – High/Med/Low)
- System & Hardware configurations (MAC address, etc.)
- Example exploit source code (if any)
- Finder(s) contact information
Cloud:
- Country the finder is from
- Time and date of discovery (if known)
- Username/email involved in producing the vulnerability
- User inputs required to reproduce the vulnerability
- Expected correct usage
- Actual usage after vulnerability exploit
- Steps to reproduce the vulnerability
- Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
- System configurations (if relevant to vulnerability)
- Example exploit source code (if any)
- Finder(s) contact information
Application (Android/iOS/Web):
- APP name & version
- Host Operating System (OS) & OS version
- Expected correct usage
- Actual usage after vulnerability exploit
- Steps to reproduce the vulnerability
- Risk Assessment (impact level finder sees the vulnerability as – High/Med/Low)
- System configurations (if relevant to vulnerability)
- Example exploit source code (if any)
- Finder(s) contact information
Our Actions
Upon receiving your report, we will:
- Acknowledge your report within seven working days
- Request for additional information that may be required for us to investigate
- Seek your cooperation to confirm the existence of the vulnerability
- Inform you the estimated time we need to resolve the vulnerability and provide a patch to the product(s) involved. Our goal is to fix it within ninety days upon confirmation
- Provide regular status updates based on our severity classification after doing impact analysis, until the resolution of the reported issues
- For urgent and critical cases, daily updates will be provided
- For other cases, weekly updates will be provided
- Notify you when the fix is complete
- In appropriate cases, release information of the issue to our consumers or public for awareness and what they can do
- Conduct an internal review on the shortcomings and improve our processes and products