NEWS: Laptops Cause Crashes
Mobile PC Manager: Vulnerability Disclosure Policy
Vulnerability Disclosure Policy
At Mobile PC Manager, we take our responsibility to protect our customers’ information and the software and services we provide to them very seriously. We want our customers to feel comfortable our security and vulnerability policy and work with us to keep our information and the software and services we provide safe.
This policy describes what systems and types of research are covered, rules of engagement, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. We reserve the right to update this policy at any time, so please review the policy periodically.
The main goal of our vulnerability disclosure policy is to help ensure that vulnerabilities are patched or fixed in a timely manner with the ultimate objective of securing our customers’ and users’ information. This policy is intended to give clear guidelines for reporting potentially unknown or harmful security vulnerabilities.
Rules of Engagement
We simply ask that our customers follow these simple rules of engagement to limit the potential that our company and/or our customers’ data may be put at risk:
- Do not exploit identified vulnerabilities in a manner that risks the confidentiality, integrity, and/or availability of any resources not explicitly owned by you during testing processes.
- Do not use your findings to phish, spam, social engineer, or otherwise defraud any customers or Mobile PC Manager employees while testing to gain more access.
- Do not try to physically access Mobile PC Manager properties, attempt to social engineer employees, or otherwise try to discover risk beyond digital means against Mobile PC Manager.
- Do not perform denial of services (DoS) or distributed denial of service (DDoS) attacks against any Mobile PC Manager resource to prove an impact for a suspected security issue.
If you encounter any of the below while testing within the scope of this policy, we ask that you stop your testing and notify us immediately:
- Personally identifiable information
- Information that you suspect is, or may reasonably be considered, proprietary or a trade secret of our company or any other party
- Denial of Service or situations where the site and application are not responding
Reporting a Vulnerability
We accept reports of vulnerabilities via email at info@MobilePCManager.com.
Your reports should include:
- Description of the location and potential impact of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
- Any technical information and related materials we would need to reproduce the issue.
- Please keep your vulnerability reports current by sending us any new information as it becomes available.
We may share your vulnerability reports to external 3rd parties.
You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be compliant with this policy and we will work with you to understand and resolve the issue quickly
Mobile PC Manager is committed to fixing verified and validated vulnerabilities reported to us and disclosing the details of those vulnerabilities in product release notes when updates to our products are made generally available. We know that public disclosure of vulnerabilities can be an essential part of the vulnerability disclosure process and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes.
At the same time, we believe that disclosure in absence of a readily available fix tends to increase risk rather than reduce it, and so we ask that you refrain from sharing your report with others while we work on making a fix available to customers. If you believe there are others that should be informed of your report before a fix is available, please let us know so we may consider other arrangements.
We welcome and support co-publication of a coordinated advisory, but you are also welcomed to self-disclose if you prefer. By default, we prefer to disclose everything, but except in circumstances where we may be required by law, we will act in good faith to never publish information about you or our communications with you without your permission. In some cases, we may also have some sensitive information that should be redacted, and so please check with us before self-disclosing.
What you can expect from us
- When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
Last Update: March 15, 2019