Responsible Disclosure Policy
Last Updated: Thu Oct 10 2024Purpose
To allow for the reporting and disclosure of vulnerabilities discovered by external entities, and anonymous reporting of information security policy violations by internal entities.
Vulnerability Disclosure Process
How to Submit a Vulnerability
To submit a vulnerability report to MFB Technologies, Inc., please send via email to: security@mfbtech.com
What Should Be in the Report:
- A clear description in English of the problem
- Proof-of-concept code if available
- Logs or other relevant output if available
- Information on how you found the bug, the impact, and any potential remediation
- Any plans or intentions for public disclosure
What You Can Expect from MFB Technologies, Inc.:
- A response to your email within one week
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it
- An open dialog to discuss issues
- Notification when the vulnerability analysis has completed each stage of our review
- Credit after the vulnerability has been validated and mitigated
If we are unable to resolve communication issues or other problems, MFB Technologies, Inc. may bring in a neutral third party to assist in determining how best to handle the vulnerability.
Legal Posture
MFB Technologies, Inc. will not engage in legal action against individuals who submit vulnerability reports through the disclosure process described herein, provided that they:
- Engage in testing of systems/research without harming MFB Technologies, Inc. or its customers
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of their location and the location of MFB Technologies, Inc.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.