Vulnerability Disclosure Policy

If you believe you have found a security vulnerability in a Visility product, please tell us about it.

How to report a security vulnerability to us
If you believe you have found a security vulnerability in one of our web sites or apps, we encourage you to let us know right away. We welcome reports from everyone, including developers, researchers and customers.
To report a security vulnerability, please contact us here and include the following information:

– A URL or an IP address, where you found the issue. When did you find it.
– A description of the issue, including what you saw and what you expected to see.

– A list of steps to reproduce the issue, or a video demonstration if it’s a complicated issue.

How Visility handles vulnerability disclosure
Visility will send you an reply within 7 days to let you know that we received your report, and we’ll contact you if we need more information.

When a notification about a potential vulnerability is received at Visility according to the Vulnerability Disclosure Policy, the notification is forwarded to the Development where it is investigated. If needed, Development contacts the user who originally submitted the form in order to exchange further information about the flaw. If the Development confirms the vulnerability, it proposes a fix. The development then implements the fix and verifies the effectiveness within. After confirmation that the vulnerability is fixed, an update or a new firmware is rolled out and the updated changelog is published with containing a description of the closed vulnerability.

To protect our customers, we investigate all reported issues, but we do not confirm them publicly.

What we ask of you
• You make a good faith effort to avoid any legal and privacy violations, disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
• You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
• You do not violate any other applicable laws or regulations.

Timeframe

7 days for initial response, 30 days for Development to investigate and propose a fix, 30 days for Development to integrate the fix. By no later than 90 days after receiving the vulnerability the fix will be released.