Responsible Disclosure Policy
At Ribbon, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. When a vulnerability is discovered, Ribbon would like to know about it as soon as an issue is detected so we can take necessary steps to address it as quickly as possible. Ribbon asks for your help to better protect our clients and our systems.
Please do the following:
- This policy is not applicable to Ribbon customers. If you are a customer under a maintenance contract, please log a case in the same manner that you log support requests or issues.
- If you are not a customer, please e-mail your findings to firstname.lastname@example.org. If possible, encrypt your findings using our PGP key (below) to prevent this critical information from falling into the wrong hands.
- Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting, or modifying other people's data.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Provide enough information to reproduce the problem so we will be able to resolve it as quickly as possible.
- For hosted services - usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- For appliances - the steps to reproduce, along with any information about software release, hardware model, serial number etc. may be needed.
What Ribbon will do:
- Ribbon will respond to your report within three business days of our evaluation of your report and provide an expected resolution date.
- Ribbon will handle your report with strict confidentiality.
- Ribbon will keep you informed of the progress towards resolving the problem.
- In any public disclosure regarding the reported problem, Ribbon will include your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we thank you for reporting your experiences to us and assisting, as needed, in the ultimate publication of the problem.