1. Reporting a Vulnerability
If you believe you have identified a security vulnerability in any software and/or product, we encourage you to report it to us as soon as possible. We request that you follow these steps:
Provide as much information as possible to help us understand the nature and scope of the issue.
Respect the users' privacy. Avoid accessing, modifying, or deleting any data that does not belong to you.
Send an email to our security team at zeroday@prodaft.com
Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.
4. Vulnerability Disclosure Process and Timeline
This policy details how Prodaft manages responsible vulnerability disclosure for product vendors, Prodaft customers, security vendors, and the public. We are committed to promptly informing the relevant product vendor of any security issues found in their product(s) or service(s).
1. Initial Notification:
Our first step will be to contact the vendor using appropriate channels listed on their website, or by sending an email to addresses such as security@, support@, info@, and secure@company.com with detailed information about the vulnerability.
Concurrently with notifying the vendor, we may distribute protection filters to Prodaft customers through approved channels.
2. Follow-Up Contact:
If the vendor does not acknowledge our initial notification within five business days, we will attempt a second formal contact. If all reasonable efforts to contact the vendor are unsuccessful, we may proceed to issue a public advisory disclosing our findings fifteen business days after the initial contact.
3. Vendor Response Timeframe:
If the vendor responds within the specified timeframe, Prodaft will allow the vendor 90 days (3 months) to address the vulnerability with a security patch or other corrective measures. At the end of this period, if the vendor has not responded or cannot provide a reasonable explanation for not fixing the vulnerability, Prodaft will publish a limited advisory with mitigation information to help the defensive community protect users.
4. Public Disclosure:
Prodaft will formally release its security advisories on our website. Only advisories listed on the website should be considered official Prodaft advisories. By taking these steps, we aim to encourage vendors to recognize their responsibility to their customers and take appropriate action.
Prodaft strives to collaborate with vendors to ensure they fully understand the technical details and severity of reported security flaws, thereby improving the overall security landscape.