Viatek Technology Vulnerability Disclosure Program
Purpose of the Vulnerability Disclosure Program
The security and integrity of our systems are of utmost importance to us. Despite our continuous efforts to maintain a robust security posture, vulnerabilities may still be present.
We collaborate with the security community and have established our Vulnerability Disclosure Program to enable you to responsibly share any findings with us.
If you identify a potential vulnerability within any of our systems, services, or products, we urge you to notify us promptly. Please adhere to the disclosure process outlined in the “How to Disclose a Vulnerability” section below.
The goal of this program is to facilitate the receipt, evaluation, and remediation of security vulnerabilities. We welcome submissions from security researchers and professionals acting in good faith. This program is not intended for general service inquiries, and we will not respond to any contact unrelated to a security vulnerability through this process.
Program Scope
Our Vulnerability Disclosure Program applies to:
- Any product or service owned by us that you have lawful access to.
- Products, services, and infrastructure provided to our shared service partners that you have lawful access to.
Prohibited Activities
To preserve the integrity of our program, certain research activities are strictly prohibited. Security researchers and professionals are advised to review the following list before initiating any research.
The following activities are not allowed under this program:
- Posting, transmitting, uploading, linking to, or distributing malware
- Engaging in any activity that violates applicable laws
- Social engineering or phishing
- Attempts to alter or destroy data
- Automated vulnerability scanning reports
- Accessing or attempting to access accounts or data that do not belong to you
- Use of deceptive methods
- Data exfiltration under any circumstances
- Denial of Service (DoS) or Distributed DoS (DDoS) attacks
- Physical tampering or attacks
- Disclosure of publicly known files or directories
- Reporting of non-sensitive cookies lacking Secure or HTTP Only flags
- Reporting the use of known vulnerable libraries or frameworks without a valid attack scenario
- Testing of third-party websites, applications, or services that are integrated with our products or services
- Clickjacking
Please do not report protections that are not directly exploitable, or security vulnerabilities related to missing security controls. Examples include:
- Weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
- Misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
- Missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy), and
- Theoretical cross-site request forgery and cross-site framing attacks
How to Disclose a Vulnerability
To disclose a potential security vulnerability, please email us at vulnerabilitydisclosure@viatek.com.au
Ensure your report includes as much detail as possible, including:
- Details of the potential security vulnerability
- List of potentially affected products and services (where possible)
- Steps to reproduce the vulnerability
- Proof-of-concept code (where applicable)
- Names of any test accounts you have created (where applicable)
- Your contact details (if you choose), and
- Whether you would like public acknowledgement for your contribution (under the acknowledgments section of this webpage), and the name you would like to be acknowledged under.
Post-Disclosure Process
When you report a vulnerability, we will:
- Respond to you within 14 business days, and
- Acknowledge your contribution to our program if you choose to be publicly recognized
We will not:
- Financially compensate you for reporting
Acknowledgements
With your permission, we will list the names or aliases of contributors to our Vulnerability Disclosure Program below.