Coordinated Vulnerability Disclosure Policy Information
Cambridge Computer Systems Limited takes security issues extremely seriously and welcomes feedback from security researchers in order to improve the security of its products and services.
We operate a policy of coordinated disclosure for dealing with reports of security vulnerabilities and other issues. To privately report a suspected security issue to us,
please send an email to firstname.lastname@example.org), giving as much detail as you can including a proof of concept and perceived risks. We will respond to you as soon as possible.
If the suspected security issue is confirmed, we will then come back to you with an estimate of how long the issue will take to fix.
Once the fix is deployed, we will notify you and recognise your efforts on this page.
We ask the following:
- You do not use the vulnerability to abuse our system including downloading more data than is required to demonstrate the vulnerability;
- You do not reveal details of the vulnerability to anyone but us until the corrective action has been completed;
- You obfuscate any data you submit and all data should be deleted after the disclosure is complete;
- For disclosed vulnerabilities we would expect 90 days from disclosure to correct the problem;
- You will not perform activities such as modification or destruction of data, Denial of Service, disclosure of personal, proprietary or financial information or anything that has an effect on another user’s experience.
What we promise:
- We will not pursue any legal action against you based on your research;
- We will work with you to understand and resolve the issue as soon as possible;
- We will recognise your efforts by adding your details, twitter handle etc. by thanking you on our security page.
We prefer secure communication, but not to the extent that no communications are possible. We use PGP/GPG and our key is available to download here
We give thanks to the following people who have helped make our products and services more secure by making a coordinated disclosure with us: