Report Security Vulnerability

Scope and Applicability

All systems and services associated with domains listed below are in scope. Likewise, subdomains of each listing, unless explicitly excluded, are always in scope. Additionally, any website published with a link to this policy shall be considered in scope. Vulnerabilities found in non-Primetics systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

Though we develop and maintain other internet-accessible systems or services, we ask that active research only be conducted on the systems and services covered by the scope of this document. If there is a system not in scope that you think merits inclusion, please contact us to discuss it first. We will increase the scope of this policy over time.

#Primetics Domains

Guiding Principles

This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to Primetics. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.

Policy Specification

The following are the minimum set of controls required under this policy

Reporting Security Vulnerability

If you believe you have found a security vulnerability, please submit your report via the web portals listed below. You must submit the report via the associated domain web portal:

Required Security Vulnerability Report Details

  • The website, IP, or page where the vulnerability can be observed
  • A brief description of the type of vulnerability e.g., “XSS vulnerability”
  • Steps to reproduce. These should be benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers
  • Description of the circumstances, including date(s) and time(s), leading to your reporting of the suspected vulnerability
  • Where applicable, provide your name, email address and mobile number in the suspected vulnerability report so that we may contact you for clarifications. Please be aware that this information will be passed onto a 3rd party responsible for website development

VDP Participant Expected Behaviour

  • Do not break any applicable law or regulations
  • Do not access unnecessary, excessive, or significant amounts of data
  • Do not modify data in the Organization’s systems or services
  • Do not use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • Do not attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
  • Do not submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice,” for example missing security headers
  • Do not submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS 1.0 support
  • Do not communicate any vulnerabilities or associated details other than by means described in this Policy
  • Do not social engineer, ‘phish’ or physically attack the Organization’s staff or infrastructure
  • Do not demand financial compensation to disclose any vulnerabilities
  • Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems
  • Do not intentionally compromise the privacy or safety of Primetics personnel, or any third parties
  • Do not intentionally compromise the intellectual property or other commercial or fiscal interests of any Primetics personnel or entities, or any third parties
  • Notify us as soon as possible after you discover a real or potential security issue
  • Make every effort to avoid privacy violations
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
  • Securely delete all data retrieved during your research as soon as it is no longer required

VDP Submission Expected Response

  • Once a report has been submitted, Primetics will respond to the submitter within 5 working days
  • Primetics will aim to triage the report within 10 working days
  • Priority for remediation is assessed by looking at the impact, severity, and exploit complexity
  • Vulnerability reports might take time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days
  • Primetics will notify you when the reported vulnerability is remediated