Gendis Vulnerability Disclosure
We take all feedback on our systems seriously and remain committed to continuous improvement.
The feedback we get from security researchers is appreciated as it helps us safeguard our services and continue to provide a world class experience for everyone who uses our products.
Like all good technology companies we have a clear, formal and robust process for the reporting of bugs and issues. We are committed to keeping our products secure by following best practices, new guidance and the latest technologies. We are continuously working on improving our products and regularly release updates.
We operate a policy of responsible disclosure for reporting security vulnerabilities. However, we do not operate a rewards scheme for the disclosure of security research.
General Distribution Ltd. (Gendis) does not intend to engage in legal action against individuals who:
-
Engage in testing of systems/research without harming anyone or the property of anyone
-
Test on products without affecting customers or their properties, or receive consent from customers before engaging in vulnerability testing against their devices or software
-
Adhere to the applicable laws and comply with all applicable software license requirements
-
Perform coordinated disclosure, i.e. refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires
-
Avoid impact to the safety or privacy of anyone
-
Avoid causing loss or damage to anyone’s property
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Gendis or any partner organisations to be in breach of any legal obligations.
If you have any existing contractual relationship with Gendis (whether as employee or as an external contractor or supplier) then this policy supplements any terms and conditions governing that relationship. In the event of any conflict or inconsistency between this policy and the terms and conditions governing your existing contractual relationship, those terms and conditions will prevail.
Reporting an issue
To report a security vulnerability affecting a Gendis product, please contact us by populating this FORM.
In order to obtain the most value from this program, for both Gendis and the participating security researcher, we require disclosures which include at least:
-
Reports that are well-written and submitted in English
-
Reports that include proof of concept code -where relevant- that permit Gendis to better triage the issue
But preferably also include:
-
Reports that include details of how the vulnerability was identified, steps to reproduce, a suggested impact rating, and any potential remediations you might suggest
-
Reports that are more than just output from automated testing tools, and scans
-
Reports that include any intentions or timelines for public disclosure
If you follow these guidelines, you can expect the following from Gendis:
-
A timely response to your initial disclosure, typically within 5 working days
-
Open dialog which includes preliminary remediation timelines where a remediation is necessary
-
Report of any issues or challenges that may delay resolution
-
Notification when final remediation has occurred
What we do not allow
We do not allow any actions aimed at disrupting our services, compromising the integrity of our intellectual property, or jeopardizing the security of our customer's personal data and property. With that in mind, these are some of the specific things we don’t allow:
-
Public disclosure of personal, proprietary or financial information
-
The modification or deletion of data that isn’t yours
-
Interruption, degradation or outage to services (like Denial of Service attacks)
-
Spamming/social engineering/phishing attacks
-
Physical exploits/attacks on our infrastructure
-
Local network-based attacks such as DNS poisoning or ARP spoofing
-
Attempts to gain unauthorized access to our infrastructure or its associated devices
-
Exploitation of known vulnerabilities
-
Unauthorized modification of device configuration, including tampering with device settings and firmware
-
Reverse engineering or decompilation.
If you have any questions, please populate the form above.