Introduction
TKH Technology Poland Sp. z o.o. (“TKH Technology”, “us” “our”) is committed to ensuring the security of its products. This Vulnerability Disclosure Policy (this “Policy”) provides security researchers with clear guidelines for conducting vulnerability discovery activities and conveys our guidelines and authorization for submitting discovered vulnerabilities to TKH Technology.
This Policy outlines the systems and types of research covered, the process for submitting vulnerability reports, and the required waiting period before publicly disclosing vulnerabilities. The goal is to foster a collaborative relationship with the security community to enhance the security of our products and protect our customers.
We encourage you to contact us to report potential vulnerabilities in our systems.
Guidelines
Researchers who discover vulnerabilities in our products are expected to follow responsible disclosure principles below:
- Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. Please keep the vulnerability confidential until we officially announce a resolution. We prioritize customer security and may need additional time to address certain issues.
- Once you’ve established that a vulnerability exists or encounter any sensitive data (including personal data, financial information, proprietary information or trade secrets of any party), stop your test, notify us immediately, and do not disclose this data to anyone else.
Test Methods
The following test methods are unauthorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
- Auto-exploits
Scope
TKH Technology Products
TKH Technology’s owned domains (e.g. www.tkhtechnology.com)
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing, unless specifically approved by TKH Technology in writing (in which case you shall be committed to this Policy). Additionally, vulnerabilities found in systems from our vendors fall outside of this Policy’s scope and should be reported directly to the vendor according to their disclosure Policy (if any). Should you have any doubt whether a system is in the scope of this Policy or not, contact us at security@tkhtechnology.com before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If you identify a system outside our current scope that you believe should be tested, please reach out to us for discussion. We may expand the scope of this Policy over time
Report a vulnerability specific to a TKH Technology product: security@tkhtechnology.com
Reporting a Vulnerability
Information submitted under this Policy will be used solely for defensive purposes – to mitigate or remediate vulnerabilities. If your findings include discovered vulnerabilities that may impact not only TKH Technology’s customers, but also other users of a third party’s product or service, we may share your report with the CERT Polska, where it will be handled under their vulnerability disclosure procedure. We will not share your name or contact information without express permission.
We accept vulnerability reports at :
- Report a vulnerability specific to a TKH Technology product: security@tkhtechnology.com
Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.
What can you expect from us?
If you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 5 business days, we will acknowledge that your report has been received.
- We will make efforts to be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
- In certain circumstances, we may deviate from this Policy, such as:
- Imminent Risk: If the vulnerability poses an immediate risk to our customers, we may need to disclose it publicly without prior coordination.
- Legal Requirements: We may be required to disclose vulnerabilities due to legal or regulatory obligations.
Revisions
We may revise this Policy from time to time. Any changes will be posted on our website.
Questions
Questions regarding this Policy may be sent to security@tkhtechnology.com