Coordinated Vulnerability Disclosure Policy SSG
As per September 30,2024
Purpose
The Swiss Securitas Group and its Group Companies, further referred to as “SSG”, are committed to maintaining the security and privacy of our systems. We recognize the important role that independent security researchers play in keeping our ecosystem secured and we encourage the responsible reporting of vulnerabilities.
Scope
This policy applies to all web properties, services, and systems owned, delivered or operated by SSG. Vulnerabilities in third-party applications, user-configured systems, or services not under our control are out of scope.
Reporting Guidelines
To minimize potential risks as well as potential civil and criminal consequence, we request that you adhere to the following rules when reporting a vulnerability:
- Notify us as soon as possible after you discover a real or potential security issue.
- Do not discuss or disclose the security vulnerability you have discovered with anyone other than the affected vendor, the respective system owner and SSG during the coordinated disclosure process.
- Do not publicly disclose the vulnerability until SSG has had a reasonable opportunity to address the issue.
- Once you have reported a vulnerability to SSG, do not repeatedly interact with the affected system during the coordinated disclosure process.
- Do not leverage vulnerabilities to access, modify or delete any data beyond the minimum necessary actions for reporting the vulnerability.
- Do not attempt to elevate privileges or explore a system beyond the minimum necessary for reporting the vulnerability.
- Do not perform any use denial of service attacks, social engineering, brute force attacks, or introduce malware.
- Provide us with a detailed description and a clear and concise step-by-step guide in English to allow for the reproduction of the security vulnerability. When possible, specify what IP addresses you were using when you discovered the vulnerability. This will help assess potential exploitations and reduce false positive alerts.
- Communicate your intentions to SSG if you aim to disclose your findings publicly (advisory, conference talk, article, etc.).
What you can expect from us
- You will receive an acknowledgement of receipt within 10 business days of disclosing the issue.
- SSG will aim to triage and validate your report within 15 business days.
- In the case of a vulnerability affecting the organization, the SSG will seek to coordinate a remedy within a reasonable timeframe.
- SSG will treat reports as confidential and will not share the personal data of the reporting parties or receiving organization without their respective consent.
- Wherever possible, SSG will keep the reporting party informed of developments and the remedy for the vulnerability.
- With your consent, we will publicly acknowledge your contribution once the issue has been resolved.
- Currently, SSG does not offer any recompense to reporters.
Contact Information
For reporting a vulnerability or for any questions, please contact
cybersecurity-contact@securitas.ch
Legal Disclaimer
By submitting a report, you agree to act in accordance with this policy. SSG reserves the right to take legal action if this policy is violated or if the research is conducted in bad faith.