Loader

[email protected]

Responsible Disclosure Policy

Introduction

Spirula is committed to ensuring the security and privacy of the technologies we assess. This policy serves as a guideline for our technology reviewers to conduct responsible assessments of applications and technologies. Our objective is to promote a collaborative and security-focused approach with developers, vendors, and users during our assessments. This policy outlines clear guidelines for conducting vulnerability discovery activities, ensuring that security issues are identified, and promoting responsible disclosure practices.

 

Authorization

By adhering to this Responsible Disclosure Policy during our technology reviews, we commit to responsible disclosure practices. We will not engage in activities that could compromise the integrity, security, or privacy of the technologies under review. Additionally, we pledge not to initiate legal action against developers, vendors, or users who cooperate in good faith with this policy.

 

Guidelines

Under this policy, “technology review” refers to activities in which we:

  • Promptly notify developers, vendors, or responsible parties if we discover a real or potential security issue during our assessment.
  • Make every effort to avoid privacy violations, disruption to the user experience, or damage to production systems.
  • Use any security testing tools or techniques responsibly and solely for the purpose of identifying vulnerabilities.
  • Provide a reasonable amount of time for developers or vendors to address identified issues before considering public disclosure.
  • Avoid submitting a high volume of low-quality reports.

If we encounter sensitive data during our review, such as personally identifiable information or proprietary information, we will cease our assessment, notify the relevant parties immediately, and refrain from disclosing this data to anyone else.

 

Test Methods

Unauthorized test methods during technology reviews include:

  • Network denial of service (DoS or DDoS) tests or any actions that disrupt access to or harm a system or data.
  • Physical testing (e.g., physical intrusion, tailgating) and social engineering (e.g., phishing) or any non-technical vulnerability testing.

 

Scope

This policy applies to all technology reviews conducted by Spirula Systems. We will ensure that our assessments align with the objectives and constraints of this policy.

 

Reporting a Vulnerability 

If we discover a security vulnerability during a technology review, we will follow responsible disclosure practices, which may include:

  • Notifying the relevant developers, vendors, or responsible parties of the vulnerability.
  • Providing necessary technical details to aid in vulnerability remediation.
  • Allowing for anonymous vulnerability reporting without the requirement of personally identifiable information.

 

What We Would Like to See From You (Developers/Vendors)

To facilitate our technology reviews and prioritize vulnerability assessments, we appreciate the following from developers or vendors:

  • Clear documentation that describes the technology’s functionality and potential security considerations.
  • A description of the location and potential impact of identified vulnerabilities.
  • Any proof-of-concept code or technical information needed to reproduce vulnerabilities.

 

What You Can Expect From Us

When developers or vendors cooperate with our review process, they can expect the following:

  • Prompt acknowledgment of vulnerability reports.
  • Transparent communication regarding the status of vulnerability assessments and remediation efforts.
  • An open dialogue to address any questions or concerns that may arise during the review.

 

Questions

If you have any questions or require clarification regarding this policy or any related matters during the technology review process, please feel free to contact

Spirula at [[email protected]].