Vulnerability Disclosure Policy
Needsec Limited is dedicated to addressing and reporting security issues using a coordinated and constructive approach that prioritizes the protection of their customers, partners, staff, and all internet users. This policy applies to any security vulnerabilities discovered by both Needsec Limited staff and others using their services. The senior management team is responsible for reviewing this policy annually, while day-to-day staff must follow it and receive regular training on how to do so.
To report a vulnerability or security incident, individuals can email firstname.lastname@example.org or fill out a contact form. Once a vulnerability report is received, the company follows a series of steps, including promptly acknowledging receipt of the report, requesting confidentiality, investigating the vulnerability with the reporter’s assistance, providing a timeframe for addressing the issue, and notifying the reporter when the vulnerability has been resolved.
Needsec Limited values the efforts of security researchers and discoverers who share information on security issues, as it helps improve their services and better protect their customers. To ensure responsible disclosure, the company requests that researchers allow a reasonable time period for the company to correct vulnerabilities before publicly disclosing the identified issue. Researchers are also asked to provide sufficient detail about the vulnerability to allow for successful investigation, to use the Common Vulnerability Scoring System when reporting a vulnerability, to avoid modifying or deleting data or impacting customers, and to avoid attempting to find weaknesses in the physical security of Needsec Limited’s offices or other locations.