Responsible Disclosure Policy

Last update: Sept 19th, 2023

 

PURPOSE 

To allow for the reporting and disclosure of vulnerabilities discovered by external entities, and reporting of information security policy violations by internal entities. 

 

SCOPE 

Connect&GO’s Responsible Disclosure Policy covers Connect&GO’s core platform and its information security infrastructure, and to internal and external employees or third parties. 

 

BACKGROUND 

Connect&GO is committed to ensuring the safety and security of our customers and employees. We aim to foster an environment of trust, and an open partnership with the security community, and we recognize the importance of vulnerability disclosures in continuing to ensure safety and security for all of our customers, employees and company. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.  

ROLES AND RESPONSIBILITIES 

Legal Framework

Connect&GO will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for the currently listed Connect&GO product. We agree not to pursue legal action against individuals who: 

  • Disclose a vulnerability they found in good faith. 

  • Engage in vulnerability testing within the scope of our vulnerability disclosure program described within this policy. 

  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc. 

  • Adhere to the laws of their location and the location of Connect&GO.  

  • Refrain from disclosing vulnerabilities to the public before a mutually agreed-upon timeframe expires, and subject to any non-disclosure agreements (see following section). 

The foregoing legal framework does not allow active vulnerability research involving direct interactions with Connect&GO systems, and does not imply an authorization to perform ethical hacking / penetration tests / exploit development against Connect&GO’s systems.   

Any violation of the foregoing legal framework without Connect&GO's explicit authorization may result in criminal offences, such as unauthorized use of computer, in addition to resulting in Connect&GO pursuing civil litigation against individual violators. 

 

POLICY 

Vulnerability Report/Disclosure 

How to Submit a Vulnerability 

To submit a vulnerability report to Connect&GO’s Security Team, please utilize the following email [email protected]

 

Preference, Prioritization, and Acceptance Criteria 

We will use the criteria from the next sections to prioritize and triage submissions. 

 

What we would like to see from you:  

  • Well-written reports in English or French will have a higher probability of resolution. 

  • Reports that include proof-of-concept code equip us to better triage. 

  • Reports that include only crash dumps or other automated tool output may receive lower priority. 

  • Reports that include products not on the initial scope list may receive lower priority. 

  • Please include how you found the bug, the impact, and any potential remediation. 

  • Please include any plans or intentions for public disclosure. 

 

What you can expect from Connect&GO: 

  • A timely response to your email (within 2 business days). 

  • All reports will receive an acknowledgment of receipt to confirm their submission. 

  • If we are unable to resolve communication issues or other problems, Connect&GO may bring in a neutral third party to assist in determining how best to handle the vulnerability. 

  • Records of all vulnerability reports, their resolution, and any non-disclosure agreements signed to be maintained for a specified period for audit and compliance purposes. 

 

Non-Disclosure  

All information relating to vulnerabilities that you become aware of through the Connect&Go responsible disclosure program, either by probing Connect&GO systems or through discussions with Connect&GO personnel is considered confidential. In order to give Connect&Go time to remediate a vulnerability, you agree to refrain from disclosing confidential information publicly or to any third party (outside of Connect&GO) without prior, written approval from Connect&GO’s Security Team: [email protected].  

You agree to honor any request from Connect&GO’s Security Team to promptly return or destroy all copies of confidential information and all notes related to the confidential information. Your cooperation in this regard is essential and contributes to the secure resolution of potential vulnerabilities.  

 

Policy Maintenance and Contact Information 

This policy undergoes regular reviews and updates to ensure alignment with evolving organizational processes and the dynamic security landscape. The scope of products and services covered by this policy is continuously assessed and adjusted as necessary. For any inquiries or clarifications regarding this policy, please feel free to contact our designated security committee at [email protected]. We are here to assist you with any questions or concerns you may have related to our responsible disclosure and security practices.