HMS Responsible Disclosure Program

 

HMS Responsible Disclosure Program

Introduction

HMS place the utmost importance on the security of our products and systems, however, despite all the measures we take, it cannot be excluded that vulnerabilities persist.

We recognize the valuable role of the digital security research community and we welcome investigator reports on potential vulnerabilities in our products and systems.

We prefer to be informed as soon as possible so that we can take the necessary measures to protect our customers and strengthen the confidentiality, availability and integrity of our systems.

If you have identified a vulnerability, we give you the opportunity to inform us responsibly.

For this operation to take place in an organized and secure manner, we invite you to follow the rules below.

Contact

If you believe that you have discovered a security issue with our products or services, please notify us as soon as possible by email at hms-csrt@hms-networks.com

The following public PGP key is available for encrypted communication:

download-key

Key ID: 029CE763

Key fingerprint: D2E9 27A8 4F09 B1E5 0229 466C D8BA 7B5D 029C E763

Please provide the following information: 

  • The nature of the error or discovery identified;
  • The steps necessary to replicate it;
  • The applications, programs or tools that you have used to identify the vulnerability;
  • The date and time when you performed the tests;
  • In the event that you consider it appropriate, attach images or videos reproducing the problem;
  • Your contact details if you wish to be contacted. If you wish to remain anonymous, please use an anonymous email transfer service. We also take anonymous reports seriously.
  • Your disclosure plans;
  • Your desire or not for public recognition.

Rules

  • Do not share vulnerability information with third parties until the problem is resolved.
  • Do not take any action beyond what is necessary to demonstrate the safety problem. Do not abuse the vulnerability. Collect only the information necessary to notify us of the problem. Do not store confidential data obtained through the vulnerability.
  • You may not delete, modify or corrupt data.
  • Do not cause service interruptions or system malfunctions when testing for the vulnerability you have discovered.
  • Do not use physical attacks or DDOS attacks.
  • Attempts of social engineering, installing malware, phishing, password theft are prohibited.

What will HMS Networks do?

  • You will receive a reception notice from HMS within three working days of your declaration.
  • We need a reasonable amount of time to address the vulnerability before the information is made public. After analyzing the vulnerability, we will agree with you on the means of mitigation and the estimated schedule of their implementation.
  • We will notify you once the vulnerability is corrected.
  • HMS will determine with you if the problem is published and how.
  • The problem will not be published until resolved. If you wish, HMS will mention your name as a discoverer.

Exclusions

This responsible disclosure program is not designed for complaints. The program is also not intended to:

  • Report that the website is not available;
  • Report false emails (phishing);
  • Report fraud;
  • Request support for our products.

For any questions relating to these topics and for any other questions, please see our contacts page.

Compensation

HMS Networks does not offer compensation for vulnerability discovery.

Non-compliance with these rules

If your actions have not respected the rules set out above, HMS Networks reserves the right to take legal action.