Intech Vulnerability Disclosure Policy
Purpose of the VDP
Intech Solutions (Intech) is committed to protecting the products and systems that we deliver, and the information held within them.
This vulnerability disclosure policy (VDP) provides information on what to do and not to do if you, as a security researcher, discover a potential security vulnerability in a product or service we provide.
This VDP describes the types of security research that is allowed to be performed against any Intech Product or Service and provides researchers with our requirements for reporting any potential security vulnerability discovered.
It further outlines what actions Intech will take on receiving a report of a potential security vulnerability and timeframes for action. Where the vulnerability is to be publicly disclosed, this VDP sets expectations around public disclosure before a researcher may disclose the potential vulnerability.
‘Finder’ – The entity responsible for informing Intech Solutions of a potential security vulnerability in a product or service offered by Intech Solutions.
‘Research’ – Using Intech products or services as intended and discovering a potential security vulnerability.
‘Security vulnerability’ – An aspect of a product or service, design, implementation or operation that provides an avenue for exploitation and adverse consequences to systems’ confidentiality, integrity or availability.
‘VDP’ – Vulnerability Disclosure Policy
Allowable security research
The following is allowed:
- Using the Intech Solutions website or other products and services as intended and notifying us as soon as possible of any potential security vulnerabilities encountered in standard use.
The following is not allowed:
- Any action that breaches privacy, degrades the performance of systems, or allows access to data that is not authorised.
- Any action that goes beyond the confirmation of a vulnerability, to comprise ‘exploitation’ of that vulnerability.
- Publicly disclosing the vulnerability without first disclosing it to Intech Solutions and providing us time to react and respond appropriately.
How to report a potential security vulnerability
To report a vulnerability, please phone Intech Solutions on (+61) 02 8305 2100, or email us on: [email protected]
When reporting a potential security vulnerability, you are free to remain anonymous. Intech will not disclose any personal identifiable customer details without your permission. Please treat the information as confidential until we can respond to you directly.
Responsive actions and indicative timeframes
Intech will respond to the report from a finder within five (5) business days.
Please do not ask us to sign a non-disclosure agreement or confidentiality provision regarding the potential security vulnerability. We aim to seek as much information from the finder as possible and be as transparent as possible while protecting any end-user of our product or service. However, as stated above, the finder is free to remain publicly anonymous.
Intech will work with the finder on confirming an agreed date for public disclosure of the vulnerability. However, in certain situations, we reserve the right to disclose the vulnerability immediately, such as if an end-user may be adversely affected, or where a vulnerability is known to be actively exploited.
We aim to have all vulnerabilities treated as soon as possible. However, while some potential security vulnerabilities will be easy to treat, others may require significant engineering that will take a longer time to treat.
Recognition for finders of verified security vulnerabilities
The finder of a security vulnerability affecting a Product or Service offered by Intech will be credited for the discovery publicly on our website: www.intechsolutions.com.au/security
VDP last updated: 21 June 2022