As a provider of security solutions, services, and research, Atmosec takes security issues very seriously. It is our policy to work and coordinate with other vendors with regards to discovered vulnerabilities, with the intention of keeping users and customers safe. This document will share our process for disclosure.
Atmosec will reach out to the impacted vendor, vendors, or other, through the appropriate contact method to notify them of the existence of a discovered vulnerability with regards to their product or service offering. If a vendor did not publish a designated security contact on their website, Atmosec will attempt to contact relevant contacts and will email “security@” mailbox. When a secure method of communication is provided from the vendor(s) or other, Atmosec will share its findings. To ensure contact is made, Atmosec will make multiple, documented attempts to contact the vendor(s) or other, either directly or through third parties.
If no response is received from the impacted vendor(s) or other within two weeks, Atmosec may choose to release the findings publicly in order to notify and/or protect the greater public.
Atmosec will do its best to work with the appropriate vendor(s) or group over a 90-day time period to address the vulnerability with a patch. We will provide additional information, as well as assistance, to ensure the security issues identified are verified and resolved. At the end of the 90-day period, or before, in a case where the issue is resolved, Atmosec may publish its findings in order to notify and/or protect the greater public.
With any security issue, we recognize that it may take longer than 90 days to address the security issues. In these circumstances, we will work with the vendor(s) or group on a case-by-case basis.
Atmosec reserves the right to discuss and disclose any discovered vulnerability with other parties or security vendors if we deem it is in the greater interest of providing a better overall response. Any such disclosure will be made responsibly, and the other party or security vendor must ensure proper action and disclosure should they take any action.
Atmosec will publish any security findings on its website and other locations, as deemed appropriate and responsible.
Anyone wishing to reach out to Armis regarding a security vulnerability may do so at info@atmosec.com.