Responsible Disclosure Policy
Security and Safety Things - Data privacy note
Security and Safety Things (S&ST) delivers products that offer the best quality and reliability. The S&ST Security Team supports this by helping to resolve security issues identified in S&ST products by external security researchers, partners, or customers.
S&ST Security Team coordinates measures in case of (potential) security incidents with S&ST engineers and development teams, including establishing an appropriate response plan, and maintaining regular communication with the reporting party. S&ST encourages coordinated disclosure of vulnerabilities and we kindly ask the reporting party to keep the vulnerability confidential until S&ST makes a fix available.
Everyone is encouraged to report identified vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports directly from researchers, industry groups, CERTs (Computer Emergency Response Teams), partners and any other source. We respect the interests of the reporting party (anonymous reports are also welcome) and agree to address any vulnerability that is reasonably believed to be related to our products or services. We strongly urge reporting parties to perform a coordinated disclosure, as immediate public disclosure puts our customers’ systems at unnecessary risk.
Please do the following:
Submit your findings by using the following URL:
We kindly ask the reporting party to not share or publicize an unresolved vulnerability with/to third parties.
By following the S&ST Responsible Security Disclosure Policy, the S&ST Security Team and associated development organizations will use reasonable efforts to:
Respond quickly and acknowledge receipt of the vulnerability report
Provide an estimated time frame for addressing the vulnerability report
Notify the reporting party when the vulnerability has been fixed
S&ST agrees not to pursue claims against reporting parties related to disclosures submitted to us providing the following:
- The reporting party does not cause harm to S&ST, our customers, or others.
- The reporting party does not compromise the privacy or safety of our customers or the operation of our services.
- The reporting party does not violate any criminal law.
The reporting party publicly discloses vulnerability details only after S&ST confirms completed remediation of the vulnerability
S&ST appreciates the efforts made by the reporting party in identifying the vulnerability and working with us to ensure the safety of S&ST customers. We thank you for going out of your way to improve the security and safety of our customers and the Internet community as a whole.