Switch Language

This policy outlines clear guidelines on the process of collaboration between Socomec and any other natural or legal person, including security researchers, who might report a vulnerability found in Socomec’s products.

This policy describes the communication channel made available for reporting vulnerabilities, our procedure for handling the reports received (including our processing times during which the researcher is asked not to disclose the vulnerability to third parties) and all the stages of collaboration from initial contact to patch deployment. 

Socomec values this collaboration and makes every effort to handle the reports received efficiently and in a timely manner. We encourage anyone and everyone to first and foremost reach out to us and report potential vulnerabilities in our products, allowing us to provide corrective measures that serve the security of our users and the general public.

Socomec does not offer bug bounties, but our Vulnerability Disclosure Policy (VDP) does include a wall of fame through which we will openly communicate on your contribution in identifying and correcting our products’ vulnerabilities, if you wish so.

 

Scope

The Vulnerability Disclosure Policy applies to any person or entity, notably security researchers, and covers all vulnerabilities in relation with all of Socomec’s products, applications and services, as well as all of Socomec websites.

 

Guidelines

Please respect the following guidelines when reporting a vulnerability. 

Exposing vulnerabilities of our products in the public arena may have severe consequences and may harm Socomec’s interests. We reserve all rights to bring legal action against any natural person and/or legal entity that would inflict damages to Socomec by overlooking and/or infringing the following guidelines.

Do

  • Notify Socomec as soon as possible after you discover a real or potential security issue;
  • Describe the location of the vulnerability that was discovered and its potential impact;
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful);
  • Write your report in English;.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data;
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems;
  • Agree to not publicly disclose a reported vulnerability until after a fix or mitigation has been released and you have received approval from Socomec.

Don't

  • Submit a high volume of low-quality reports;
  • Demand a financial compensation in exchange for your reports;
  • Plan a network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data;
  • Realize a physical testing (e.g. office access), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.

Report a vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or correct vulnerabilities. Socomec will not share your identity or contact information without your express permission.

You may submit your vulnerability reports using this form or via cyberalert@socomec.com. Reports may be submitted anonymously. In your report, please specify:

  • A description of the vulnerability;
  • The potential impact of the vulnerability;
  • The product and its version impacted;
  • The CVSS details: attack vector, attack complexity, privileges required, user interaction, scope, and the impact on confidentiality, integrity, and availability.

 

What you can expect from Socomec

Once the report is submitted:

  • We will notify you that the report has been received within 72 hours from the time of its receipt;
  • We will realise the qualification of the vulnerability within 30 days from the date of report’s receipt. In the event of specific issues preventing us from meeting this deadline, we will promptly communicate a new reasonable and proportionate deadline for completing this qualification;
  • We will remedy the vulnerability and we will publish the fix for critical and important vulnerability within 60 days from the date of qualification. In the event of specific difficulties preventing us from meeting this deadline, we will promptly communicate a new reasonable and proportionate deadline for completing this qualification.

 

Questions

Questions regarding this policy may be sent to cyberalert@socomec.com. We also invite you to contact Socomec with suggestions for improving this policy.

Report an incident / vulnerability
Contact us to report an incident or a vulnerability on one of our products or services.
Report a vulnerability
Cybersecurity and Data Protection
The safety of your data is at the core of everything we do. Discover how we provide you with secure and trusted connections through our cybersecurity policy.
Our cybersecurity commitments