REPLIL VULNERABILITY MANAGEMENT POLICY

To report a security vulnerability affecting a REPLIL Technologies product, refer to our Report a Vulnerability page. There you will find all the information necessary to report a vulnerability. REPLIL usually responds to incoming reports within two business days. (Reference: United States Eastern Time)

Include the following information in an encrypted report using our [download id=”1904″ template=”PGP KEY”]

• Product name, model, and firmware version. Include product reference ID and/or part number if available
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code
• Impact of the issue, including how an attacker could exploit the issue
• Any other relevant information

REPLIL Technologies will analyze the reported potential vulnerability. The cybersecurity team will communicate to the reporting entity our conclusion and/or a request for more information upon completion of the review of the potential vulnerability, as determined in its sole discretion. Reporting entities must respond within 30 days or the case will be closed.

If REPLIL Technologies determines that a report does not identify a vulnerability or that the reported vulnerability is a duplicate of a previously reported vulnerability, it will notify the reporting entity.

Note: The time required for handling, including Mitigation and Disclosure, may be impacted by the relative criticality of the vulnerability and other relevant factors.

REPLIL Technologies determines the root cause of the vulnerability and develops a resolution or determines mitigation measures. During this phase, the REPLIL Cybersecurity team maintains active and secure communications with the reporting entity regarding any mitigations, potentially including advisories, patches, or updates.

REPLIL Technologies discloses vulnerabilities and associated risk mitigation measures to support customers as they secure installed products, software, and systems.

REPLIL Technologies will disclose reported vulnerabilities rated Medium, High, or Critical through a Security Notification posted in our support site. A Security Notification is intended to provide customers with sufficient information to understand the vulnerability and take appropriate mitigating actions. Each Security Notification contains, as appropriate:

• Overall description of the vulnerability including CVSS score, the impact of the vulnerability if exploited, and CVE (if applicable).
• Identification of products, software, and systems and versions affected.
• Patches or mitigating actions to reduce the risk of exploit, including patch download instructions where applicable. REPLIL Technologies always encourages customers to take advantage of these updates and/or instructions and patch their installations appropriately.

By submitting a vulnerability report to REPLIL Technologies, a Researcher grants REPLIL Technologies a non-exclusive worldwide, irrevocable, perpetual, sub-licensable royalty-free license to any intellectual property contained in that report or any follow-up communications related to the report to analyze, commercialize, publicize, disclose, or otherwise use such intellectual property in any manner. Participating in this program does not give a Researcher any right to any intellectual property of REPLIL Technologies.

REPLIL Technologies reserves the right to change these terms at any time and without advance notice. Continued participation in this program after a change in terms constitutes acceptance of the amended terms.

Reporting entities subject to this policy are required to fully cooperate with any requests by REPLIL Technologies for additional information, assistance, and research, and agree to coordinate disclosures of any vulnerabilities as noted herein and as may be requested by REPLIL Technologies in its sole discretion.