Introduction
This policy outlines the process for reporting vulnerabilities to TARDICS. We recommend thoroughly reviewing this policy before submitting a vulnerability report and ensuring your actions comply with its terms.
We greatly value the efforts of those who responsibly disclose security vulnerabilities in line with this policy. While we do not provide financial incentives for vulnerability disclosures, we also run a separate initiative called Hack for All™, which offers awards for discovering and responsibly reporting security vulnerabilities.
How to Report
If you believe you have discovered a security vulnerability in any of TARDICS's products or systems, please submit a report to security@tardics.com.
Your report should include the following details:
-
Title
Provide a clear and concise summary of the vulnerability, and specify the application or site where it was identified.
-
Asset (Required)
Include relevant information such as a web address, IP address, product name or service name.
-
Weakness
Describe the weakness, for example, using a CVE identifier if available.
-
Severity
Specify the severity level (e.g., low, medium, high, critical) and, if possible, include a CVSS-calculated score.
-
Vulnerability Description (Required)
- Provide a summary of the vulnerability.
- Attach supporting evidence, such as screenshots or videos.
- Suggest any potential mitigations. -
Steps to Reproduce (Required)
Outline clear and detailed instructions to reproduce the vulnerability, including a safe, non-destructive proof of concept.
-
Impact
Explain the potential consequences of exploiting the vulnerability.
-
Contact Information
Your name and email address. These details are optional to allow for anonymous submissions.
What to Expect
After submitting your report, you will receive an initial response within five working days, and we aim to triage your report within ten working days. We will also keep you updated on our progress.
We prioritise remediation efforts based on the vulnerability's impact, severity and exploit complexity. Please note that it may take time to investigate or resolve some reports. While you are welcome to ask about the status of your report, we request that you limit inquiries to once every 14 days to allow our teams to focus on resolving the issue.
Once the vulnerability is addressed, we will notify you and may invite you to verify that the remediation effectively resolves the issue. If you wish to disclose your report publicly after the vulnerability has been resolved, we encourage coordination with us to ensure consistency in communication.
Guidelines
Prohibited Actions
- Do not violate any laws or regulations.
- Do not alter any data within TARDICS's systems or services.
- Refrain from using invasive, high-intensity or destructive scanning tools to identify vulnerabilities.
- Do not attempt or report denial-of-service attacks, such as overwhelming services with excessive requests.
- Avoid actions that disrupt TARDICS's systems or services.
- Do not submit reports on non-exploitable vulnerabilities or reports highlighting minor deviations from "best practices".
- Avoid engaging in social engineering, phishing, or physical attacks against TARDICS staff or infrastructure.
- Do not demand financial rewards in exchange for disclosing vulnerabilities.
Required Actions
- Always adhere to data protection regulations and avoid compromising the privacy of any data managed by TARDICS. For example, do not share, redistribute, or improperly secure data obtained during your research.
- Delete all data retrieved during your research securely once it is no longer needed or within one month of the vulnerability being resolved, whichever comes first (unless otherwise required by data protection laws).
Legalities
This policy aligns with recognised best practices for responsible vulnerability disclosure. It does not authorise actions that violate applicable laws or cause TARDICS, its overseas subsidiaries or affiliates, its customers, or its business partners to breach their legal obligations.