VULNERABILITY DISCLOSURE POLICY
SwitchSmart LLP - hereinafter referred to as "SwitchSmart", "we" or "us"- is committed to your security and safety, the purpose of this Vulnerability Disclosure Policy is to provide an avenue for security researchers and consumers to identify vulnerabilities and disclose discovered vulnerabilities to us. You must read and understand this policy before attempting to test a vulnerability and before disclosing a vulnerability to us.
All vulnerabilities should be disclosed using the methods outlined in this policy below:
In the process of testing a vulnerability, the disclosure, editing, deletion and insertion of data that may compromise the integrity of the data store is strictly not permitted;
Any vulnerability should be kept confidential between SwitchSmart and you;
No legal action may be taken or supported in the process of vulnerability disclosure;
Not to engage in the following actions in the process of vulnerability discovery:
The exploit of vulnerabilities through social engineering;
Maintaining persistent access through the vulnerability;
The use of malware;
Using brute force;
DOS or DDOS attacks;
Sharing of vulnerabilities with third-parties.
In addition, vulnerability detection and disclosure must not contravene any local or international laws and does not permit unlawful attacking of any system or device.
To report a vulnerability, please send an email to firstname.lastname@example.org.
The email should include but is not limited to:
Your contact details;
The product name and model;
The date of vulnerability discovery;
Description of the vulnerability, including any screenshots or images that may assist us;
Steps to re-produce the vulnerability;
Any specific configurations including hardware, firmware & software deemed relevant to the vulnerability.
Upon receiving your report, SwitchSmart will acknowledge the report within 7 working days and provide information on the progress of vulnerability patching.
We will remain in contact with you throughout the patching process and notify you weekly on the process of rectification.
We aspire to resolve all vulnerabilities within 90 days from the point we are made aware of it.
Upon completion of security patching, you will be notified of a successful patch and the steps required to update your device(s) to incorporate the patch. Where required, the patch instructions will be broadcast to all affected customers.
Subsequently, an internal review will be conducted to determine and rectify any future security shortcomings in our processes and products.