reporting helps everyone
In alignment with our commitment to security best practices and compliance with the NIST Cybersecurity Framework (RA-5(11)), we have established a public disclosure program to responsibly manage and address security vulnerabilities.
The primary objective of this Vulnerability Disclosure Policy (this “Policy”) is to help ensure that vulnerabilities are patched or fixed in a timely manner in order to increase operational security for customers. Ultimately, this Policy strives to balance this goal with the need to provide customers and vendors with adequate notice to provide effective solutions.
We encourage security researchers, ethical hackers, and members of the public to report any vulnerabilities they discover in our systems, services, or products. Responsible disclosure helps protect our users, safeguard sensitive information, and enhance the resilience of our infrastructure.
How to Report a Vulnerability
If you discover a potential security issue or vulnerability, please follow these guidelines to report it to us responsibly:
- Report Promptly: Submit the vulnerability report as soon as it is discovered to help us address it quickly and effectively.
- Provide Detailed Information:
- A description of the vulnerability and its potential impact.
- Steps to reproduce the issue (proof of concept is preferred).
- Any relevant URLs, system configurations, or screenshots.
- Your contact information for follow-up (optional but encouraged).
- Submit to the Designated Contact: Email your report to disclosures@cuicktrac.us with the subject line: “Vulnerability Disclosure: [Short Description]”.
Our Commitment
Acknowledgment
We will acknowledge receipt of your report within 5 business days.
Investigation
We will investigate the issue and determine its impact. You may be asked to provide additional information during this phase.
Remediation
If the vulnerability is validated, we will work to mitigate it and will keep you informed of the resolution timeline
Public Disclosure
Once the vulnerability is resolved, we may choose to publicly disclose the issue to promote transparency and encourage community involvement. However, we will credit responsible researchers upon request and coordinate the timing of public announcements to ensure the issue is fully addressed before disclosure.
Responsible Disclosure Guidelines
We request that you:
- Avoid testing vulnerabilities on live systems in a way that could harm our users, systems, or data.
- Do not disclose the vulnerability publicly until we have had adequate time to investigate and address it.
- Avoid accessing, modifying, or deleting data that doesn’t belong to you.
Legal Safe Harbor
We are committed to working with researchers to improve our security, and as long as you act in good faith, we will:
- Not pursue legal action for reporting a vulnerability under this policy.
- Consider your actions to be authorized testing in line with our security policies.
Scope of the Policy
This policy applies to all systems, services, and products maintained by Beryllium InfoSec Inc. You must also NOT break any applicable law or regulations. Beryllium InfoSec Inc. does not condone actively auditing our infrastructure, social engineering (e.g., phishing), physical attacks or physical security vulnerabilities, attacks on third-party services we use, or the use of automated tools.
Safety is Essential
Responsible vulnerability disclosure ensures that security issues are handled promptly and appropriately.
We appreciate the cooperation and goodwill of all researchers who help us improve our systems.
Thank you for helping keep Beryllium InfoSec Inc. and our users secure!
