Vulnerability Disclosure

Kerlink provides a place for externals to responsibly report vulnerabilities that affect Kerlink products and services. This policy is intended to provide Reporters our instructions and commitments regarding the submission of discovered vulnerabilities.

Procedure

Please submit your initial request through the web form: here

Kerlink will acknowledge and provide you the procedure for submitting a detailed report and communicate with us.

Once received, vulnerabilities are analyzed and shared with experts of affected products.

Valid vulnerabilities will be supported in the vulnerability remediation process for the affected products and services.

As a reporter you will be informed of the progress of the process from the initial submission up to the remediation.

Required information

It is essential that investigation teams have all the information they need to validate vulnerabilities and investigate remediation solutions.

For each reported potential vulnerability, the following information is important:

• List of affected products and services, including versions
• How to identify or reproduce the vulnerability. If necessary, supplement with the appropriate configuration elements.
• Specify the impacts on data and processing.
• Offer an estimate of the level of severity.
• Where possible, please state the possible root cause(s).
• Please feel free to make suggestions for remediation or mitigation.

Commitments

Kerlink commits to:

• Acknowledge the initial request within 8 days of its submission.
• Keep the Reporter informed of developments in the treatment of reported vulnerabilities.
• Provide remediation solutions in a timely manner.
• Treat provided information confidentially. 

The Reporter commits to:

• Provide detailed information about the vulnerabilit
• Not to disclose the vulnerabilities with third parties until they have been resolved by Kerlink.
• Not to use the vulnerabilities for exploitation beyond the necessary to demonstrate them.