Responsible disclosure program

Introduction 

We recognize the valuable role of the digital security research community and we welcome investigator reports on potential vulnerabilities in our products and systems. We prefer to be informed as soon as possible so that we can take the necessary measures to protect our customers and strengthen the confidentiality, availability and integrity of our systems. If you have identified a vulnerability, we give you the opportunity to inform us responsibly.

Please provide the following information

• The nature of the error or discovery identified
• The steps necessary to replicate it
• The applications, programs or tools that you have used to identify the vulnerability
• The date and time when you performed the tests
• In the event that you consider it appropriate, attach images or videos reproducing the problem
• Your contact details if you wish to be contacted. If you wish to remain anonymous, please use an anonymous email transfer service. We also take anonymous reports seriously
• Your disclosure plans
• Your desire or not for public recognition

This applies if you use an encrypted email to contact us. If you instead use the Report incident and vulnerability form you must full out all the required fields and we will have what we need.

Rules

• Do not share vulnerability information with third parties until the problem is resolved.
• Do not take any action beyond what is necessary to demonstrate the safety problem.
• Do not abuse the vulnerability. Collect only the information necessary to notify us of the problem.
• Do not store confidential data obtained through the vulnerability.
• You may not delete, modify or corrupt data.
• Do not cause service interruptions or system malfunctions when testing for the vulnerability you have discovered.
• Do not use physical attacks or DDOS attacks.
• Attempts of social engineering, installing malware, phishing, password theft are prohibited.

What will HMS Networks do?

• You will receive a reception notice from HMS within three working days of your declaration.
• We need a reasonable amount of time to address the vulnerability before the information is made public. After analyzing the vulnerability, we will agree with you on the means of mitigation and the estimated schedule of their implementation.
• We will notify you once the vulnerability is corrected.
• HMS will determine with you if the problem is published and how.
• The problem will not be published until resolved. If you wish, HMS will mention your name as a discoverer.

Exclusions

This responsible disclosure program is not designed for complaints. The program is also not intended to:

• Report that the website is not available;
• Report false emails (phishing);
• Report fraud;
• Request support for our products.

For any questions relating to these topics and for any other questions, please see our contact page.

Compensation

HMS Networks does not offer compensation for vulnerability discovery.

Non-compliance with these rules

If your actions have not respected the rules set out above, HMS Networks reserves the right to take legal action.

Encrypted email key

If you believe that you have discovered a security issue with our products or services. please notify us as soon as possible using the following email [email protected].

The following public PGP key is available for encrypted communication:

Key ID: 3F982669

Key fingerprint: 9810 5448 5CC5 2102 07D8 A6EF 7DA2 7ECE 3F98 2669