Vulnerability Disclosure Policy

Report a Security Issue

CounterCraft cares deeply about the security of our products, services, business applications, and infrastructure.

As security researchers ourselves, CounterCraft understands the importance of investigating and responding to security issues. We also realize that despite our efforts to eradicate security vulnerabilities from our products and services, there will always be emerging threats, new vulnerabilities, and opportunities to improve. To that end, CounterCraft believes wholeheartedly in embracing the public research community when security issues are discovered and working with security researchers to fix the identified issue and remediate any related and/or underlying systemic issues to further improve our security posture.

In the interest of protecting our customers, we provide the public research community the opportunity to engage, report, and receive credit for their work. While engaging with us, we ask that reporters honor responsible disclosure principles and processes and give CounterCraft an opportunity to evaluate, respond, and if necessary, remediate any confirmed security vulnerabilities prior to public disclosure.

If you have discovered a vulnerability in a CounterCraft product or service, please contact [email protected]If this issue is significant enough to merit encryption, please use our PGP key available at https://www.countercraftsec.com/downloads/pgp.txt

Once we have received a vulnerability report, the following steps are taken:

  • 1- CounterCraft confirms receipt of the issue with the reporter.
  • 2- CounterCraft opens an investigation to verify the vulnerability. CounterCraft will work with the reporting entity to gather as much information as needed to verify the vulnerability.
  • 3- If the reporting entity is unable to produce information needed to verify the vulnerability, the issue will be closed.
  • 4- Upon verification, CounterCraft establishes a plan to remediate the vulnerability.
  • 5- CounterCraft executes the remediation plan and includes the security fix information in the release notes of the product, crediting the reporting entity unless the reporting entity would prefer to not be named.
  • 6- After implementing the remediation and publishing the release notes, the issue will be closed.

Compliance

To protect our customers, employees, and business, we request security researchers maintain compliance with this policy. CounterCraft will consider the submission as noncompliant if the submission is publicly disclosed without express written consent from CounterCraft. In addition, all research activity must be compliant with the following:

  • Do not perform research on CounterCraft products licensed, owned, or operated by a CounterCraft customer without their express permission. For example, if you are an employee of a CounterCraft customer, you may not use your employer’s CounterCraft product for security research without clearing it with the relevant management team at your company (such as the CISO or VP of Security)
  • Do not perform social engineering attacks against CounterCraft employees, customers, partners, or representatives
  • Do not perform physical security attacks against any person or entity
  • Do not perform denial of service attacks