805-879-5050
  • 0
    • get a quote
    805-879-5050
  • 0
    • get a quote

    Responsible Disclosure Policy​

    INTRODUCTION

    At Tempest, we take the security and privacy of our data and our users’ information seriously. We believe that no system is 100% secure and that collaboration with the security community is a key component of a robust security posture.

    This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences on how to submit discovered vulnerabilities to us.

    AUTHORIZATION (SAFE HARBOR)

    If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and Tempest will not recommend or pursue legal action related to your research.

    Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.

    GUIDELINES

    Under this policy, “research” means activities in which you:

    • Notify us as soon as possible after you discover a real or potential security issue.
    • Avoid privacy violations, destruction of data, and interruption or degradation of our services.
    • Only use exploits to the extent necessary to confirm a vulnerability’s presence.
    • Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
    • Maintain confidentiality: Do not disclose vulnerability details to the public or any third party until the issue has been remediated and we have provided explicit permission.

    SCOPE

    In-Scope Systems

    Out-of-Scope Activities

    The following test methods are not authorized:

    • Network denial of service (DoS or DDoS) tests.
    • Physical testing (e.g., office access, tailgating).
    • Social engineering (e.g., phishing, vishing).
    • Spamming or brute-force attacks.
    • Third-party applications or services hosted by our vendors (please report those to the vendor directly).

    REPORTING A VULNERABILITY

    To report a vulnerability, please email privacy@tempestns.com.

    Your report should include:

    • A description of the vulnerability and its potential impact.
    • Clear, step-by-step instructions to reproduce the issue (scripts or screenshots are helpful).
    • The IP address or URL where the vulnerability was discovered.
    • (Optional) Your name/handle for recognition in our “Hall of Fame.”

    WHAT YOU CAN EXPECT FROM US

    When you report a vulnerability, we commit to the following:

    1. Acknowledgement: We will acknowledge receipt of your report within 3 business days.
    2. Validation: We will investigate the issue and keep you informed of our progress.
    3. Remediation: We will work to fix valid vulnerabilities in a timely manner.
    4. Recognition: If you are the first to report a unique, valid vulnerability and follow this policy, we will (with your permission) publicly recognize your contribution.

     

    This document and all its attachments contain confidential, trade secrets, and proprietary information subject to Tempest Telecom Solutions confidentiality and non-disclosure agreement(s). Unauthorized use, duplication, or disclosure is strictly prohibited without written consent.