Vulnerability Disclosure Policy

Policy

LithuaniaTech takes seriously its responsibility to protect public information from unwarranted disclosure.

To help mitigate this risk, UAB LithuaniaTech encourages cybersecurity researchers to report vulnerabilities in UAB LithuaniaTech's products so that UAB LithuaniaTech can take appropriate action to remediate the vulnerabilities and ensure the security of stakeholder information.

This notice describes which systems and types of investigations are covered by this policy, how to report vulnerabilities, and how long we ask cybersecurity investigators to wait before fixing vulnerabilities.

 

Guidelines

We request cybersecurity researchers to:

- Make every effort to prevent privacy breaches, degradation of user experience, disruption of production systems, and data destruction or manipulation.

- Use testing tools only as necessary to confirm vulnerabilities. This means that you should not use the devices or software to corrupt or exfiltrate data, or to "port" data to other systems.

- If you confirm the existence of a vulnerability, or if you gain access to the following published data, please stop the test and notify us immediately.

- Keep all information about discovered vulnerabilities confidential for at least 90 calendar days after the cybersecurity researcher has notified LithuaniaTech using the process described here.

 

Scope

This policy applies to the following systems:

- lithuaniatech.eu

- imsand.eu

- lithuaniatech.lt

- IMSAND software

Any services not specifically stated above, such as related services, are outside of the scope and cannot be tested. If cybersecurity researchers are unsure whether a system or endpoint is in scope, please contact info@lithuaniatech.eu before proceeding.

If a cybersecurity researcher testing this policy encounters any of the following on our systems, please stop the testing and notify us immediately.

We prohibit the following types of tests:

- User interface errors or spelling mistakes

- Network denial of service (DoS or DDoS) tests

- Physical access tests (office enter, open door, and inspection).

- Social engineering, including phishing and other non-technical vulnerability assessment.

 

Permission

LithuaniaTech will not pursue civil claims for accidental, bona fide violations of its policies, nor will it file complaints with law enforcement agencies for inadvertent infractions. LithuaniaTech considers activities conducted in accordance with this Policy to be "authorized" conduct.

Disclosure of vulnerabilities is voluntary. Disclosure of vulnerability information to UAB LithuaniaTech in no way creates a contractual or other type of relationship between the investigator and UAB LithuaniaTech. By submitting a vulnerability, the cybersecurity researcher must expressly acknowledge that "I do not expect to receive any remuneration for these services and expressly waive any future claims for payment in connection with the submission".

 

Breach notification

Cyber Security Investigators should submit vulnerability reports to UAB LithuaniaTech at info@lithuaniatech.eu. Reports should include the following information:

- A description of the location of the vulnerability and potential impact

- Date and time of the vulnerability investigation

- A detailed description of the actions required to remediate the vulnerability. Proof-of-concept scenarios, screenshots and screenshots are useful.

- Any technical information and related materials needed to reproduce the problem

Keep the vulnerability reports up-to-date and send them to info@lithuaniatech.eu as new information becomes available. After review, LithuaniaTech may share some of the vulnerability data with other parties as well as with any related vendors or open source projects. Although LithuaniaTech welcomes anonymous submissions, the investigators' anonymity may limit LithuaniaTech's capacity to collaborate in addressing the breaches.

 

Coordinated disclosure

LithuaniaTech is committed to resolving vulnerabilities on a continuous basis and providing details of those vulnerabilities when they are amended. Furthermore, LithuaniaTech thinks that public disclosure of vulnerabilities is an important component of the vulnerability disclosure process, and that sharing such patches is one of the most effective ways to enhance software and services.

However, disclosure of vulnerabilities without timely remediation increases the risk to stakeholder data, so we ask cybersecurity researchers to refrain from sharing information about vulnerabilities in LithuaniaTech products with others while we are working on our own method of remediating vulnerabilities. If it is necessary to inform others about a vulnerability before appropriate remediation measures are in place, please let us know so that we can coordinate our efforts.

LithuaniaTech may decide to coordinate a public notification with a cybersecurity investigator to be issued alongside the cure, but cybersecurity investigators are free to make their own disclosures if so desired.

LithuaniaTech will not disclose any information about a cybersecurity researcher without the researcher's permission. In some situations, LithuaniaTech may contain sensitive information that needs to be redacted to prevent it from becoming public, therefore cybersecurity researchers must get LithuaniaTech's permission before self-disclosing data. Failure to do so undermines the goodwill intended by this policy.


© All rights reserved
Vulnerability Disclosure Policy

Slapukų tvarkymas