Vulnerability Disclosure

Effective Date: 21 November 2023

Overview

This Vulnerability Disclosure Policy is intended to help Tybera improve its security posture by giving security researchers clear guidelines for conducting vulnerability discovery activities and to convey processes in how to submit discovered vulnerabilities to Tybera. This policy describes what systems and types of research are covered under this policy, how to submit vulnerability reports, and how long Tybera asks security researchers to wait before publicly disclosing vulnerabilities.

If security researchers make a good faith effort to comply with this policy during security research, Tybera will consider the research to be authorized, will work with the security researcher to understand and resolve the issue quickly, and Tybera will not recommend or pursue legal action related to the research. Should legal action be initiated by a third party against the security researcher for activities that were conducted in accordance with this policy, Tybera will make this authorization known.

Under this policy, “research” means activities in which the security researcher:

  • Notifies Tybera as soon as possible after the discovery of a real or potential security issue.
  • Makes every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only uses exploits to the extent necessary to confirm a vulnerability’s presence. Does not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provides Tybera a reasonable, mutually agreed to amount of time to resolve the issue before the finding is disclosed publicly.
  • Does not submit a high volume of low-quality reports.

Once the security researcher has established that a vulnerability exists or encounters any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), the security researcher must stop the test, notify Tybera immediately, and not disclose this data to anyone else.

Test Methods Not Allowed:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
  • Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.

Scope

This policy applies to the use of information, electronic and computing devices, and network resources to conduct Tybera business, customer support, or interact with internal networks and business systems, whether owned or leased by Tybera, the employee, or a third party. If you aren’t sure whether a system is in scope or not, please contact us at security@tybera.com before starting your research.

Reporting a Vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities in accordance with Tybera’s Information Security Policy and Incident Response Policy. If findings include newly discovered vulnerabilities that affect users of a product or service and not solely Tybera, Tybera may share the report with such users. Tybera will not share the reporter’s name or contact information without express permission.

Tybera accepts vulnerability reports via security@tybera.com. Reports may be submitted anonymously. If contact information is shared, Tybera will acknowledge receipt of the report within 10 business days.

By submitting a vulnerability, the security researcher acknowledges that there is no expectation of payment and expressly waives any future pay claims against Tybera related to the submission. In order to help triage and prioritize submissions, please include the following in the report:

  • Describe the location the vulnerability was discovered and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
  • Be in English, if possible. If contact information is shared, Tybera commits to coordinating as openly and as quickly as possible.
  • Tybera will provide confirmation that issue has either been addressed or risk has been reported to applicable customer.

Policy Compliance

Tybera will measure and verify compliance to this policy through various methods, including but not limited to ongoing monitoring, and both internal and external audits.

Exceptions

Requests for an exception to this policy must be submitted to Tybera Management for approval.

Violations & Enforcement

Any known violations of this policy should be reported to a member of Tybera Management. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

 

Back To Top