# Vulnerability Disclosure Policy # Introduction The following document describes the reporting procedure for security vulnerabilities found in any products, infrastructure or web services developed and maintained by us (the “Company”), Canimaan Software Ltd. This document should be read prior to reporting a vulnerability to us and we request that the reporter maintains compliance with the following terms. As an organisation passionate about cyber security, we value highly those who take the time and effort to report vulnerabilities to us in a responsible manner. We do not currently offer monetary rewards for vulnerability disclosure (i.e. in the form of a "bug-bounty" programme), but we will publicly credit the reporter in our release notes and in any public documentation about the vulnerability. # Reporting If you have reason to believe that you have discovered a vulnerability, please submit a report to us at the following email address: security@clamxav.com You may encrypt your communication using our PGP key, which you can find linked in our security.txt file (https://clamxav.com/.well-known/security.txt). In your report, you should include the following: * The product, web page or IP address where the vulnerability exists. * A brief description of the type of vulnerability using common terms, such as those depicted in Mitre's CWE or similar (https://cwe.mitre.org/). For example: "XSS Vulnerability" * Steps to reproduce the vulnerability, including a working proof of concept. We should be able to triage the vulnerability quickly and comprehensively from the information you have given us. # What to expect After submitting your vulnerability report to us, a member of our team will respond to you within 5 working days. We are committed to maintaining an open dialogue with vulnerability reporters and will keep you informed of our progress. We will assess the impact, severity and exploit complexity of the reported vulnerability and prioritise remediation appropriately. The team member you are liasing with will provide an update after our initial triage with an estimate of how long it will take our development team to issue a fix. Please note that this is only an estimate and shouldn't be considered a committment from us to a particular time-scale. Once a solution has been developed and the vulnerability remediated, we will inform you and, where appropriate, invite you to test the solution. If you are intending to produce documentation about the vulnerability or the disclosure process, we politely request that you coordinate this with our public release. This allows us to be consistent when issuing guidance to affected users. # Guidance For your disclosure to be considered responsible by us, you must NOT: * Break any applicable law in your research or exploitation of the vulnerability. * Unlawfully access unecessary, excessive or significant amounts of data generated by or about the Company. * Make modifications to the Company's systems or services. * Use high-velocity, wide-reaching or invasive scanning tools in an attempt to discover vulnerabilites. * Make use of any tooling or techniques which could cause disruption to systems owned by the Company or prevent business continuity. * Attempt to report vulnerabilites to us in an insecure manner or using methods not defined in our security.txt. * Make any demands to the Company or impose conditions on the disclosure of the vulnerability. * Report non-exploitable vulnerabilities or fail to provide a proof of concept exploit. You must: * Take action to secure any data about the vulnerability during the disclosure period. Once remediation has occurred or when it is no longer required, all data generated by your research should be securely deleted.