Public-Facing Responsible Disclosure Program
Purpose
Ascendion is committed to maintaining the highest standards of security across our products, services, and digital infrastructure. We value the contributions of the security research community and members of the public in helping us identify vulnerabilities.
This policy establishes a safe, transparent, and structured process for external parties to responsibly report potential security issues.
Scope
- Public-facing websites, applications, APIs, and digital services owned and operated by Ascendion.
- Based on the services explicitly listed on our website.
- Denial-of-service (DoS/DDoS) attacks or automated scanning that disrupts services.
Out of Scope
- Physical attacks against Ascendion offices, facilities, or employees.
- Vulnerabilities in third-party applications or platforms not managed by Ascendion.
Reporting Guidelines
- Reports should be submitted to: infosecoffice@ascendion.com
- Reports must include:
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- Potential impact and risk.
- Supporting evidence (screenshots, logs, or proof-of-concept code, if applicable).
- We ask reporters to:
- Refrain from exploiting vulnerabilities beyond what is necessary to report the issue.
- Respect privacy and confidentiality.
Our Commitment
- Acknowledgment: We will acknowledge receipt of your report within 5 business days.
- Assessment: Our security team will investigate and validate the issue.
- Remediation: Confirmed vulnerabilities will be prioritized based on severity and business impact.
- Transparency: We will update you on the status of your report and notify you when remediation is complete.
- Recognition: With your consent, we will acknowledge your contribution via email.
Safe Harbor
We are committed to protecting researchers who act in good faith:
- If you follow the guidelines in this policy and act within the scope, we will not pursue legal action against you.
- We consider your security research activities conducted under this policy as authorized access under applicable laws.
- We will not initiate legal proceedings against you for reporting a vulnerability in line with this policy.
Roles and Responsibilities
- External Researchers: Report vulnerabilities responsibly and within scope. Avoid privacy violations, service disruption, or accessing other data.
- Information Security Team: Acknowledge, triage, validate, and coordinate remediation of reported vulnerabilities.
Review and Evaluation of Procedure
This procedure shall be reviewed once a year or if any change to the policy takes place.
