Vulnerability disclosure statement

Since security is of critical importance to us and to our customers, we at Thytronic are committed to ensuring the safety and security of our products and services. Thytronic supports coordinated vulnerability disclosure and encourages responsible vulnerability testing, we take any reports of potential security vulnerabilities seriously.

Please follow these steps to report a potential security vulnerability:

Reporting Procedure

  1. Please use our PGP public key to encrypt any email submissions to us at security-incident@thytronic.it
  2. Provide your reference/advisory number and sufficient contact information, such as:
    • Your contact information
    • Name of the person who found the vulnerability
    • Date when the vulnerability was detected and details about how it was discovered
  3. Include a technical description of the concern or vulnerability. Provide as much information you can on the product or service, like version number, and configuration of the setup used (i.e. tools). If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key.
  4. If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information.

Security Vulnerability Report Assessment and Action

  1. Thytronic will:
    • Acknowledge receiving your report within 7 business days
    • Provide you with a unique tracking number for your report
    • Assign a contact person to each submitted case
    • Notify the interested internal technical teams
  2. Thytronic will keep you informed on the status of your report.
  3. If the vulnerability is actually in a third party component or service which is part of our product/service, we will refer the report to that third party and advise you of that notification. To that end, please inform us in your email whether it is permissible in such cases to provide your contact information to the third party.
  4. Upon receiving a vulnerability report, Thytronic will:
    • Verify the reported vulnerability
    • Work on a resolution
    • Perform QA/validation testing on the resolution
    • Release the resolution
    • Share lessons learned with development teams
  5. Thytronic will use existing customer notification processes to manage the release of patches or security fixes, which may include without limitation and at Thytronic's sole discretion direct customer notification or public release of an advisory notification on our website

Important

  1. Refrain from including sensitive personal information in any screen shots or other attachments you provide to us.
  2. Do not perform any vulnerability testing on applications, products or services that are actively in use. Vulnerability testing should only be performed on devices or applications, products or services not currently in use or not intended for use.
  3. For web based applications, products or services, please use demo/test environments to perform vulnerability testing.
  4. Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data. Try to not to delete or use data belonging to other users.
  5. As part of responsible co-ordination of vulnerability disclosure, we encourage you to work with Thytronic on selecting public release dates for information on discovered vulnerabilities.
  6. In the effort to find vulnerabilities, actions must not be sproportionate, such as, including without limitation:
    • Using social engineering to gain access or information
    • Installing or building backdoors in an information application, product or service with the intention of then using it to demonstrate the vulnerability
    • Utilizing a vulnerability further than what is necessary to establish its existence
    • Making changes to the application, product or service
    • Repeatedly gaining access to the application, product or service or sharing access with others
    • Using brute force attacks to gain access to the application, product or service. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords
  7. Thytronic will provide full credit to researchers who make a vulnerability report or perform testing, in publicly released patch or security fix release information, if requested.

Notice

If you share any information with Thytronic in the context of responsible disclosure, you are agreeing that the information you submit will be considered as non-proprietary and non-confidential. Thytronic is allowed to use shared information, or part of it, without any restriction. You agree that submitting information does not create any rights for you or any obligation for Thytronic.
Due to the sensitive nature of the information being exchanged, Thytronic highly recommends that all security vulnerability reports are encrypted using the Thytronic PGP/GPG key before being submitted:

  • Fingerprint: E44A 9E76 150D E9FC 87DB 2AF7 6B23 B804 5939 3AC0
  • Public Key File

Use these links to access free software to read and author PGP/GPG encrypted messages: