Vulnerability Disclosure Policy

As a provider of security software, services, and research, we take security issues very seriously and strive to lead by example. We recognize the importance of collaboration between vendors, researchers, and customers and seek to improve the safety and security of the community as a whole through a coordinated disclosure process.

Reporting Security Issues to Gravityscan

Contact the Gravityscan Security Team by sending email to security@gravityscan.com in the following situations:

To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email. We are equipped to receive messages encrypted using our public PGP key.

After your incident report is received, the appropriate personnel will contact you to follow-up. Gravityscan attempts to acknowledge receipt to all submitted reports within seven days.

The security@gravityscan.com email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please visit https://www.gravityscan.com/help.

Disclosure and Remediation Process

When the Gravityscan Research Team finds a vulnerability in another vendor’s product, or if a vulnerability affecting our plugin is disclosed to us, we take the following steps to address the issue. “Vendor” below may refer to us or to an external vendor.

  1. Our research team verifies the vulnerability.
  2. We notify the vendor, if necessary, with a description of the vulnerability.
  3. The vendor releases a fix, usually after several days and we announce the existence of the vulnerability at the same time to encourage users to upgrade.
  4. A Proof of Concept (PoC) will be released 30 days after the vulnerability is publicly announced so that other security providers can create rules or other means to protect their customers too.

All aspects of this process are subject to change without notice, and to case-by-case exceptions.