top of page

Vulnerability disclosure

What to do if you find a vulnerability in our products and services

If you believe you have discovered a vulnerability in one of our services or have a security incident to report, please contact us at  security@coldsurge.com, detailing:

  • The nature of the vulnerability

  • Steps to reproduce the vulnerability

  • Your contact preferences for updates and recognition.

Once we have received a vulnerability report:

  1. We will provide prompt acknowledgement of receipt of your vulnerability report.

  2. We request the reporter keep any communication regarding the vulnerability confidential.

  3. We will work with you to understand and investigate the vulnerability.

  4. We will provide a timeframe for addressing the vulnerability.

  5. We will notify you once the vulnerability has been resolved, to allow retesting by the reporter if needed.

  6. We publicly announce the vulnerability in the release notes of the update. We may also issue additional public announcements, for example via social media.

  7. Release notes (and blog posts if issued) will include a reference to the individuals who reported the vulnerability, unless the reporter(s) would prefer to stay anonymous.
     

We will endeavour to keep the reporter apprised of every step in this process as it occurs. We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our services, and better protect our customers. In line with general responsible disclosure good practice, we ask that security researchers:

  • Allow Coldsurge an opportunity to correct a vulnerability within a reasonable time period before publicly disclosing the identified issue.

  • Provide sufficient detail about the vulnerability to allow us to investigate successfully including steps required to reproduce the issue.

  • We appreciate the use of the Common Vulnerability Scoring System when reporting a vulnerability.

  • Do not modify or delete data, or take actions that would impact Coldsurge customers.

  • Do not carry out social engineering exercises or attempt to find weaknesses in the physical security of Coldsurge offices or other locations.

bottom of page