Last active
April 15, 2026 12:41
-
-
Save rjelbert/3519dbefa977d6dcb3b20f50f2ba8d82 to your computer and use it in GitHub Desktop.
Cyberrock Ltd — Vulnerability Disclosure Policy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Cyberrock Ltd — Vulnerability Disclosure Policy | |
| # Published in accordance with RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116) | |
| # To be hosted at: https://www.cyberrock.ai/.well-known/security.txt | |
| Contact: mailto:security@cyberrock.ai | |
| Expires: 2027-04-15T00:00:00.000Z | |
| Preferred-Languages: en | |
| Canonical: https://www.cyberrock.ai/.well-known/security.txt | |
| Policy: https://www.cyberrock.ai/security | |
| # ----------------------------------------------------------------------------- | |
| # Vulnerability Disclosure Policy — Cyberrock Ltd | |
| # ----------------------------------------------------------------------------- | |
| # | |
| # Cyberrock Ltd welcomes reports of security vulnerabilities in our products | |
| # and services, including the Cyberrock Defender Mk3 device, the Cyberrock | |
| # cloud platform, and our websites. | |
| # | |
| # How to report | |
| # ------------- | |
| # Please send reports to security@cyberrock.ai. Include: | |
| # - A description of the vulnerability | |
| # - Steps to reproduce (proof-of-concept where applicable) | |
| # - The affected product, version, or URL | |
| # - Your name or handle (optional — reports may be submitted anonymously) | |
| # | |
| # Our commitments | |
| # --------------- | |
| # Cyberrock Ltd commits to the following response timelines: | |
| # | |
| # - Acknowledgement of receipt: within 3 working days | |
| # - Initial triage and assessment: within 7 working days | |
| # - Remediation of critical issues: within 30 days of triage, where | |
| # technically feasible | |
| # | |
| # We will keep reporters informed of progress through to resolution and | |
| # will notify the reporter when a fix has been deployed so that retesting | |
| # can take place. | |
| # | |
| # Responsible disclosure | |
| # ---------------------- | |
| # We request that reporters: | |
| # - Give Cyberrock Ltd a reasonable period to remediate before any public | |
| # disclosure (typically 90 days, or sooner by mutual agreement) | |
| # - Do not exploit the vulnerability beyond what is necessary to demonstrate it | |
| # - Do not access, modify, or delete data belonging to other users | |
| # - Do not perform denial-of-service testing against production systems | |
| # | |
| # Researchers acting in good faith under this policy will not be subject to | |
| # legal action by Cyberrock Ltd. We are happy to credit reporters in our | |
| # security advisories unless anonymity is requested. | |
| # | |
| # Scope | |
| # ----- | |
| # This policy covers: | |
| # - The Cyberrock Defender Mk3 device (hardware, firmware, application) | |
| # - Cyberrock Cloud services and APIs | |
| # - cyberrock.ai and associated subdomains | |
| # | |
| # Out of scope: | |
| # - Third-party services not operated by Cyberrock Ltd | |
| # - Social engineering of Cyberrock staff or customers | |
| # - Physical attacks against Cyberrock offices or personnel | |
| # | |
| # ----------------------------------------------------------------------------- | |
| # Cyberrock Ltd, 128 City Road, London, EC1V 2NX, United Kingdom | |
| # ----------------------------------------------------------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment