Vulnerability Disclosure Policy

At PRODAFT, we are committed to ensuring the security and privacy of our customers, partners, and stakeholders. We value the contributions of the security community in identifying vulnerabilities in our products and services. This Coordinated Vulnerability Disclosure Policy outlines how we work with security researchers to identify and mitigate potential vulnerabilities.

1. Reporting a Vulnerability

If you believe you have identified a security vulnerability in any software and/or product, we encourage you to report it to us as soon as possible. We request that you follow these steps:

Provide as much information as possible to help us understand the nature and scope of the issue.

Respect the users' privacy. Avoid accessing, modifying, or deleting any data that does not belong to you.

Send an email to our security team at zeroday@prodaft.com

Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.

2. Our Commitment

Upon receiving your report, we commit to:

Acknowledgment: Acknowledge receipt of your vulnerability report within 5 business days.

Investigation: Investigate the reported vulnerability and provide an estimated timeline for resolution.

Communication: Maintain open communication with you during the investigation and remediation process.

Credit: If you wish to be recognized, we will publicly acknowledge your contribution once the vulnerability is resolved, unless you prefer to remain anonymous.

3. Scope

Assets or other equipment not owned by parties which are already participating as a CVE Numbering Authority.

4. Vulnerability Disclosure Process and Timeline

This policy details how Prodaft manages responsible vulnerability disclosure for product vendors, Prodaft customers, security vendors, and the public. We are committed to promptly informing the relevant product vendor of any security issues found in their product(s) or service(s).

1. Initial Notification:

Our first step will be to contact the vendor using appropriate channels listed on their website, or by sending an email to addresses such as security@, support@, info@, and secure@company.com with detailed information about the vulnerability.

Concurrently with notifying the vendor, we may distribute protection filters to Prodaft customers through approved channels.

2. Follow-Up Contact:

If the vendor does not acknowledge our initial notification within five business days, we will attempt a second formal contact. If all reasonable efforts to contact the vendor are unsuccessful, we may proceed to issue a public advisory disclosing our findings fifteen business days after the initial contact.

3. Vendor Response Timeframe:

If the vendor responds within the specified timeframe, Prodaft will allow the vendor 90 days (3 months) to address the vulnerability with a security patch or other corrective measures. At the end of this period, if the vendor has not responded or cannot provide a reasonable explanation for not fixing the vulnerability, Prodaft will publish a limited advisory with mitigation information to help the defensive community protect users.

4. Public Disclosure:

Prodaft will formally release its security advisories on our website. Only advisories listed on the website should be considered official Prodaft advisories. By taking these steps, we aim to encourage vendors to recognize their responsibility to their customers and take appropriate action.

Prodaft strives to collaborate with vendors to ensure they fully understand the technical details and severity of reported security flaws, thereby improving the overall security landscape.

Contact Us

Questions or any cybersecurity matters you would like to discuss?