Product Security Vulnerability Disclosure Policy

Product Security Vulnerability Disclosure Policy

Product Security Vulnerability Disclosure Policy

1. Required Report Contents

When submitting a vulnerability, please include the following details so we can evaluate and respond promptly:

  1. Affected product and version (hardware/firmware/software)
  2. Type of issue with a brief description
  3. Technical details and potential impact
  4. Steps to reproduce and test environment
  5. Proof of concept (PoC) or other supporting materials

Do not attach destructive test scripts or conduct service disruptions or data deletion in a production environment.

2. Submission Method and Secure Transmission

  1. Send your report to Arcadyan Security Team security@arcadyan.com
  2. If the issue is high-risk, please add URGENT to the email subject line for priority handling.
  3. If the report contains intellectual property, sensitive environments, or personal data, we recommend using PGP encryption or uploading via HTTPS form to ensure secure transmission.

3. Good-Faith Safe Harbor

Reports submitted in good faith under this policy are considered legal security research. Arcadyan will not take legal action, require an additional NDA, or penalize legitimate testing activities performed within reasonable bounds.

4. Scope and Prohibited Activities

  1. In Scope

    This policy applies to Arcadyan-released products, including open-source components or third-party modules bundled with our products. Do not test systems not under Arcadyan's control. If unsure, ask first or identify the system by URI/domain in your report.

  2. Out of Scope / Prohibited
    1. Denial-of-service (DoS) attacks or large-scale scanning that disrupts service
    2. Social engineering, phishing, or related techniques
    3. Intentional modification, deletion, or damage to data/settings in production environments
    4. Unauthorized ransom demands or any tests that destabilize others’ systems

Arcadyan reserves the right to investigate and take legal action regarding the above behaviors.

5. Responsible Disclosure and Coordination

  1. Do not publicly share technical details until a patch is released, to protect users who have not yet updated
  2. If you prefer to remain anonymous or keep your organization/name confidential, state this in the report; we will respect your privacy.
  3. Arcadyan retains final discretion over how and when information is disclosed (e.g., advisories, briefings, technical blogs) and will coordinate timing with the reporter.