Security & Vulnerability disclosure Policy

Effective Starting: May 5, 2020
We consider that the safety and security of our customers is one of the top priorities. Therefore, we design and make products and services with the best quality and reliability possible. Despite our efforts to implement the best possible security measures, vulnerabilities may still be present in our products, services and systems.

This document describes Patrowl’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.

Everyone is encouraged to report identified vulnerabilities, regardless the type of service or products. Researchers, partners, CERTs, customers or any other source are welcomed to report the vulnerabilities.

When to contact the security team ?

The preferred method for contacting Patrowl’s security operational team is by sending email to security@patrowl.io if you have identified a potential security vulnerability with one of our products or our services.

To facilitate our management of the vulnerability, we expect some well-written reports in English or French containing the following information:

Time and date of discovery
Product Model & number using the vendor nomenclature if possible
URL, browser information including type and version and input required to reproduce the vulnerability;
Technical Description — provide what actions were being performed and the result in as much detail as possible;
Sample Code — if possible, provide code that was used in testing to create the vulnerability;
Reporting’s party Contact Information — best method to reach
Disclosure Plan(s) — current plan to disclose;
Threat/Risk Assessment — contains details of the identified threats and/or risks including a risk level (high, medium, low) for assessment result;
Software Configuration — details to computer/device configuration at time of vulnerability;
Relevant information about connected devices if vulnerability arises during interaction. When a secondary device triggers the vulnerability, these details should be provided.
Please do not include personal data in your reports, except what is necessary to contact you. Participating in this program does not give you any right to intellectual property owned by Patrowl, GreenLock Advisory or a third party.

Next steps ?

After your incident report is received, the appropriate personnel will contact you to follow-up. To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via e-mail. We are equipped to receive messages encrypted using PGP. Our PGP public key can be used to send encrypted email.

Patrowl attempts to acknowledge receipt to all submitted reports within seven days

Then Patrowl will engage an open dialog to discuss issues, notify you at each stage of the investigation.

Patrowl retains discretion to determine whether to accept a report into the program. For example, Patrowl will not accept into this program vulnerabilities with minimal security impact or low exploitability, vulnerabilities beyond Patrowl’s control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the program requirements.

Disclosure requirements

Patrowl agrees not to pursue legal action against reporting parties who submit in-scope reports and:

Engage in testing/research of systems without harming Patrowl, its customers, employees, or third parties;
Do not use or alter any data it might access during its discovery;
Do not conduct social engineering, spam, or phishing attacks;
Do not test the physical security of any property of Patrowl or third parties;
Do not conduct denial-of-service or resource-exhaustion attacks;
Comply with applicable criminal laws;
Adhere to other applicable laws (other than those that would result only in claims by Patrowl).
The reporting party(s) who submits a report to Patrowl through this website agrees not to disclose to a third-party any information related to that report, the vulnerability reported, nor the fact that a vulnerability has been reported to Patrowl. This agreement regarding disclosure applies regardless of whether Patrowl had prior knowledge of the information.

You agree that Patrowl may disclose the information in a report you submit through this website. Patrowl will consider any request from a reporting party to make a disclosure, but reserves the right to deny such requests.

Patrowl appreciates the efforts made by the reporting party in identifying the vulnerability. We thank you for going out of your way to improve the security of our product and systems and the Internet community as a whole.

All aspects of this process are subject to change without notice, as well as to case-by exceptions. No particular level of response is guaranteed for any specific issue or class of issues.