Responsible Disclosure For Security Vulnerabilities
Oviva is committed to maintaining the security of our products, services, and customer information. If you have discovered a potential security vulnerability in any of our offerings, please submit a vulnerability report to firstname.lastname@example.org. Please do not publicly disclose this information without contacting us first. Our security team will reach out to you once the vulnerability report is received.
- We commit to acknowledge receipt of the vulnerability within 48 business hours.
- We will work together with you to understand the severity of the issue and estimate the timelines for disclosure.
- Notify you when the vulnerability has been fixed, so that further testing can be done to confirm the remediation.
- Public acknowledgement and credit for your responsible disclosure, if required.
When reporting a potential vulnerability, please include a detailed summary of the vulnerability. This includes:
- The target service / product.
- The exact type of vulnerability and clear instructions to identify.
- Clear step-by-step instructions to potentially exploit the vulnerability.
- Additional information and artefacts such as the tools required, PoC scripts, screenshots, etc.
We expect that you follow our responsible disclosure guidelines, as following:
- Allow Oviva an opportunity to correct the vulnerability within a reasonable time frame (default of 90 days) before publicly disclosing the identified issue.
- Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
- Do not download, modify or destroy data that does not belong to you.
- Do not use social engineering, attacks on physical security, distributed denial of service, or spam.
If you wish to provide feedback or suggestions on this policy, please contact us at: email@example.com. This policy is bound to evolve over time, and your input is valuable to ensure that it is clear, complete and remains relevant.