Responsible Disclosure Policy
Effective Date: July 16, 2024
1. Introduction
Bossard Group is committed to the IT/Cyber/Information security of our products and services. We recognize the valuable role that security researchers and members of the security community play in helping us identify and mitigate potential vulnerabilities. This Responsible Disclosure Policy outlines our guidelines and procedures for the responsible reporting of security issues in our products and services.
2. Scope
This policy applies to all individuals, including security researchers, who discover and wish to report potential IT/Cyber/Information security vulnerabilities within Bossard's products, services, websites, and systems.
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Social engineering (e.g. phishing, vishing, etc.) or any other non-technical vulnerability testing.
- This policy does not apply to any third-party products or services that are integrated with or used in conjunction with our products and services.
- This policy does not apply to any physical security vulnerabilities or issues related to the security of our facilities or infrastructure (e.g. office access, open doors, tailgating).
3. Guidelines for Responsible Disclosure
3.1 Reporting Process
If you believe you have identified an IT/Cyber/Information security vulnerability within our products, services, websites, or systems, please report it to us as soon as possible by sending an email to whitehat@bossard.com and include the following information in your report:
- A detailed description of the vulnerability and its potential impact.
- Clear and concise steps to reproduce the vulnerability.
- Any supporting evidence, such as screenshots, proof-of-concept code, steps to replicate the issue, logs, or a video demonstration if it is a complicated issue.
- Your contact information if you wish to kept informed of progress being sure to include your email address, if you wish to be kept up to date on the progress of remediation
Testing must not violate any law or disrupt or compromise any data.
3.2 Scope of Vulnerabilities
This policy applies to all products and services offered by Bossard, including software, hardware, and cloud-based services. We welcome reports of all potential IT/Cyber/Information security vulnerabilities, but some examples include:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery (SSRF)
- SQL Injection
- Remote Code Execution
- Authentication and Authorization Bypass
- Sensitive Data Exposure
This policy includes Bossard’s primary domains as well as its subsidiary domains, to include:
- bossard.com
- ipsboi.com
- boysen.aero
- boysen-us.aero
- bighead.co.uk
3.3 Responsible Conduct
While researching and reporting security vulnerabilities, we expect security researchers to adhere to the following principles:
- Do not disclose the vulnerability to others until it has been adequately addressed by Bossard.
- Do not exploit the vulnerability to gain unauthorized access or cause harm to our systems or data.
- Respect our privacy, data, and intellectual property rights.
- Abide by all applicable laws and regulations.
4. Our Commitment
4.1 Investigation
Upon receiving an IT/Cyber/Information security vulnerability report, Bossard will acknowledge receipt within 72 hours, and we will initiate an investigation to confirm the reported issue. We will keep you informed about our progress and will provide updates on the resolution.
4.2 Resolution and Recognition
We will make every effort to address and resolve the reported vulnerability promptly. Our goal is to provide a fix or mitigation for the issue within a reasonable timeframe. Once the vulnerability has been successfully mitigated, we will inform you. Please note that we do not offer a bug bounty program. This means that Bossard does not pay rewards for disclosed security vulnerabilities.
5. Legal Protections
Bossard is committed to refraining from taking legal action against security researchers who fully adhere to the principles outlined in this policy, abide by applicable laws and regulations, and act in good faith. We will not pursue legal action against you for conducting IT/Cyber/Information security research within the scope of this policy.
6. Contact Information
To report a security vulnerability or for any questions related to this policy, please contact us at whitehat@bossard.com.
7. Revision and Updates
Bossard may revise and update this Responsible Disclosure Policy from time to time. We recommend checking this policy periodically to ensure you are aware of any changes.
By reporting security vulnerabilities to Bossard, you are contributing to the ongoing improvement of our security and helping us maintain the trust of our customers and users. We appreciate your efforts in making the digital world a safer place.