How Edgewatch handles security vulnerabilities
This Vulnerability Disclosure Procedure provides guidelines for the cybersecurity research to improve the security of our products, apps, and cloud services. This Procedure also instructs researchers on how to submit discovered vulnerabilities to our team.
If you are a Edgewatch user and have a security issue to report regarding your account, please visit our support panel. To find out how to stay safe online, take the our Free Edgewatch University courses.
We take security issues extremely seriously and welcome feedback from security researches in order to improve the security of our networked products, apps, and cloud services. We operate a procedure of coordinated disclosure for dealing with reports of security vulnerabilities and issues. Vulnerabilities submitted to us under this procedure will be used for defensive purposes to mitigate or remediate vulnerabilities in our networks and services.
Reporting security issues
If you believe you have discovered a vulnerability in a Edgewatch product or have a security incident to report, please send an email to [email protected] or go to security channel at: support.edgewatch.com to include it in our Vulnerability tracking. Upon receipt of your message we will send an automated reply that includes a tracking identifier.
To receive credit, you must be the first to report vulnerability, and you must notify us in accordance with following;
- You should provide basic details of discovered issue, typically;
- Name/type of affected product/app/service, if applicable; model number, serial number, etc.
- Any Proof of Concept(POC) setup details
- Description of the steps to reproduce the issue
- Public references if there is any
- The details of system where the tests were conducted
By following the Vulnerability Disclosure Procedure, we will respond to you within a maximum of 48 business hours upon receiving the initial report. If the reported security issue will be confirmed by looking at the impact, severity, and exploit the complexity of the vulnerability report; we may ask for your further contribution to resolve the potential vulnerability within 90 days.
Although we find every vulnerability that comes from you valuable, we ask you to stay away from any kind of security research that may harm our users, systems and services and has the possibility of data corruption. Also, a researcher determines a vulnerability which includes any sensitive data (including personally identifiable information, financial information, or the proprietary information or trade secrets of any party), they must stop testing, notify relevant e-mail address immediately through our vulnerability submission process, and not disclose this data to anyone else. If a researcher engages in any activities that are inconsistent with this procedure or other applicable law, the researcher may be subject to criminal and/or civil liabilities.
Edgewatch’s vulnerability disclosure policy
Researchers must review and comply with following terms and conditions of this Procedure before conducting any research or testing on our networked products, apps and cloud services.
- If a deadline is due to expire on a weekend or Spanish public holiday, the deadline will be moved to the next normal work day.
- Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
- When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. We believe it’s important that vendors disclose that there is evidence to suggest that the vulnerability is under active exploitation. Edgewatch does this through a product’s security bulletin.
As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Edgewatch expects to be held to the same standard.
If you believe that someone is violating the policies, please report abuse immediately. To report copyright infringement or other pressing legal issues, please use our abuse report form.
If you fall victim to cybercrime, notify your local authorities immediately to file a complaint. Preserve and document all evidence related to the incident and any potential sources. Avoid attack, responding or retaliating on your own or using Edgewatch.
The tools and services of the Edgewatch platform are designed to be complementary and defensive; while they are used by law enforcement agencies, they are not intended to replace or supplant the investigative and enforcement efforts of the authorities in response to a criminal offense.
Report Trademark Infringement
If you suspect that someone is misusing our trademark, please alert us promptly. To address trademark infringement or other pertinent legal concerns, kindly utilize our abuse report form.